Kaspersky ICS CERT (English)

APT and financial attacks on industrial organizations in Q4 2025

Fri, 06 Mar 2026 14:07:00 +0000

Scenarios in which cyberattacks used to search for and select targets during military conflicts, cyberespionage campaign orchestrated and executed by AI – the quarter was rich in interesting details of incidents.

Cyberattacks on automobile manufacturers, taxi fleets, and logistics providers: The risks to automotive infrastructure in 2026

Thu, 19 Feb 2026 16:00:00 +0000

A cyberthreat forecast by Kaspersky experts.

Recommendations

Thu, 05 Feb 2026 14:30:00 +0000

Baseline security controls and practices that help defend against diverse cyberthreats across multiple stages of an attack, and controls crucial for protecting against particular types of cyberthreats.

Threat landscape for industrial automation systems. Africa, Q3 2025

Thu, 25 Dec 2025 09:00:00 +0000

The permanent leader in the percentage of ICS computers on which spyware were blocked.

Threat landscape for industrial automation systems. Middle East, Q3 2025

Wed, 24 Dec 2025 09:01:00 +0000

The ransomware rate in the region remains consistently high, nearly twice the global average.

Threat landscape for industrial automation systems. Asia, Q3 2025

Wed, 24 Dec 2025 09:00:00 +0000

East Asia saw a sharp increase in the percentage of ICS computers on which malicious scripts and phishing pages were blocked. The review of key cybersecurity issues in Asian regions.

Threat landscape for industrial automation systems. Australia and New Zealand, Q3 2025

Tue, 23 Dec 2025 09:01:00 +0000

This quarter, Australia and New Zealand rank first in growth of the email client threat indicator.

Threat landscape for industrial automation systems. South and North America (Canada), Q3 2025

Tue, 23 Dec 2025 09:00:00 +0000

This quarter, South America leads both in the percentage of ICS computers on which malicious documents were blocked and in growth of this indicator. The review of key cybersecurity issues in the regions.

Threat landscape for industrial automation systems. Europe, Q3 2025

Mon, 22 Dec 2025 09:01:00 +0000

Miners are still a major problem for Northern Europe. The review of key cybersecurity issues in European regions.

Threat landscape for industrial automation systems. Russia, Q3 2025

Mon, 22 Dec 2025 09:00:00 +0000

This quarter, the percentage of ICS computers on which spyware and ransomware were blocked increased significantly in the region.

A brief overview of the main incidents in industrial cybersecurity. Q3 2025

Thu, 18 Dec 2025 09:00:00 +0000

The attack on Jaguar Land Rover affected about 5,000 organizations, as well as more than 100 other incidents, including some significant occurred in the transport and logistics sector.

Threat landscape for industrial automation systems. Q3 2025

Thu, 11 Dec 2025 09:00:00 +0000

The malicious scripts and phishing pages led the threat categories in terms of both the percentage of ICS computers on which this threat was blocked and the growth rate.

APT and financial attacks on industrial organizations in Q3 2025

Mon, 01 Dec 2025 13:07:00 +0000

Using of AI, trusted relationships and historical security problems of traditional OS – there are some interesting details of attacks on industrial enterprises.

God Mode On: Researchers run Doom on a vehicle’s head unit after remotely attacking its modem

Thu, 20 Nov 2025 11:00:00 +0000

Exploiting a vulnerability identified in a modem installed in the head units of some vehicles enabled Kaspersky ICS CERT experts to gain complete control of the system.

“Security researchers are the main factor motivating automakers to invest in protecting their products”

Thu, 30 Oct 2025 09:00:00 +0000

Industrial system vulnerability research experts discuss threats associated with over-the-air data transmission technologies, attack vectors targeting electric vehicles specifically, the evolution of transportation systems from a cybersecurity perspective, and the role of artificial intelligence in ensuring cybersecurity.

A brief overview of the main incidents in industrial cybersecurity. Q2 2025

Thu, 09 Oct 2025 09:00:00 +0000

More than 130 incidents were publicly confirmed by victims. Among them are not only high-profiled technology corporations and enterprises, but also the lake dam.

Threat landscape for industrial automation systems. Europe, Q2 2025

Tue, 23 Sep 2025 09:00:00 +0000

In Southern and Eastern Europe, the risk of targeted attacks is high – there are high levels of email threats (phishing) and spyware. The review of key cybersecurity issues in European regions.

Threat landscape for industrial automation systems. Russia, Q2 2025

Tue, 23 Sep 2025 08:00:00 +0000

The region where the main threat source is the internet and the percentage of ICS computers on which miners in the form of executable files for Windows were blocked is usually high.

Threat landscape for industrial automation systems. Middle East, Q2 2025

Mon, 22 Sep 2025 11:00:00 +0000

The region with high risk of targeted attacks against the technological infrastructures of industrial enterprises

Threat landscape for industrial automation systems. South and North America (Canada), Q2 2025

Mon, 22 Sep 2025 09:00:00 +0000

The percentage of threats from email clients increased significantly in South America, and from the internet – in North America (Canada). The review of key cybersecurity issues in these regions.

Threat landscape for industrial automation systems. Australia and New Zealand, Q2 2025

Fri, 19 Sep 2025 12:00:00 +0000

The region ranks first in terms of the percentage of ICS computers on which malicious objects were blocked increase.

Threat landscape for industrial automation systems. Asia, Q2 2025

Fri, 19 Sep 2025 09:00:00 +0000

South-East Asia ranks first in the world in terms of the percentage of ICS computers on which viruses and malware for AutoCAD were blocked. The review of key cybersecurity issues in Asian regions.

Threat landscape for industrial automation systems. Africa, Q2 2025

Thu, 18 Sep 2025 09:00:00 +0000

The leader in the percentage of ICS computers on which malicious objects were blocked for many years. The region with low cybersecurity maturity of industrial organizations.

Detective investigation of APT and rare virus specimens: Kaspersky ICS CERT experts to present new research at KICC

Wed, 17 Sep 2025 11:54:00 +0000

The Kaspersky Industrial Cybersecurity Conference, one of the leading international events in the field of industrial cybersecurity, takes place from September 23 to 25.

Threat landscape for industrial automation systems. Q2 2025

Thu, 11 Sep 2025 10:28:00 +0000

The percentage of ICS computers on which denylisted internet resources were blocked increased in all regions. This growth is associated with the addition of direct links to malicious code hosted on popular public websites and file services.

Dynamics of external and internal threats to industrial control systems. Q2 2025

Wed, 10 Sep 2025 12:21:00 +0000

A segmentation of the attacked ICS computers into categories based on the malware blocked and the sources of its entry which helps to understand the ICS threat landscape better and identify the factors that affect it.

APT and financial attacks on industrial organizations in Q2 2025

Thu, 04 Sep 2025 14:00:00 +0000

Spreading from a compromised organization to its peers with hijacked emails, using the ClickFix social engineering method – non-trivial tactics and techniques were reported this quarter.

Modern vehicle cybersecurity trends

Thu, 21 Aug 2025 09:00:00 +0000

Why cyberattacks on vehicles have not yet become a widespread phenomenon, what are the consequences of turning a car into a gadget and which ones are at risk

Faults in digital avionics systems threaten flight safety

Thu, 17 Jul 2025 09:00:00 +0000

Kaspersky experts analyze aviation incidents and accidents caused by failures of digital avionics systems and warn of potential cyberattack risks

A brief overview of the main incidents in industrial cybersecurity. Q1 2025

Thu, 26 Jun 2025 09:00:00 +0000

The attack on Kuala Lumpur airport, which knocked out many of its information systems for 10 hours, plus over 100 more incidents.

APT and financial attacks on industrial organizations in Q1 2025

Thu, 19 Jun 2025 09:00:00 +0000

Using polyglot files, involving the 7-Zip vulnerability and the 0-click vulnerability in MS Windows – there are some interesting details of attacks on industrial enterprises disclosed at this quarter.

Threat landscape for industrial automation systems. Regions, Q1 2025

Tue, 10 Jun 2025 09:00:00 +0000

The internet ranks first among threat sources in all regions. The problem is particularly relevant to Africa, South-East Asia, South Asia and Russia.

TTPs of Cyber Partisans activity aimed at espionage and disruption

Thu, 05 Jun 2025 10:33:00 +0000

Kaspersky ICS CERT experts managed to find and analyze the malware and utilities most probably used by the actors. The key finding was a previously unknown backdoor.

Threat landscape for industrial automation systems. Q1 2025

Thu, 15 May 2025 09:00:00 +0000

The percentage of ICS computers on which various types of malware spread via the internet and email were blocked increased for the first time in two years.

“Security by design helps you stay one step ahead”

Tue, 15 Apr 2025 09:00:00 +0000

Kaspersky expert discusses the challenges of assessing the security of industrial facilities and the role of the professional community in their protection, the reasons behind security issues in rapidly evolving industries, and the impact of digitalization on society.

A brief overview of the main incidents in industrial cybersecurity. Q4 2024

Tue, 08 Apr 2025 09:00:00 +0000

More than 100 companies publicly reported cyberattacks. Two of them announced their insolvency after the incident. In two other cases, two ransomware gangs simultaneously claimed responsibility for the same hack.

APT and financial attacks on industrial organizations in Q4 2024

Tue, 25 Mar 2025 09:00:00 +0000

Abusing of Telegram to spy and put pressure on their victims’ employees, notifying the victims by printing messages on printers connected to a compromised network – we publish interesting details of attacks on industrial enterprises disclosed at this quarter.

Threat landscape for industrial automation systems. Regions, Q4 2024

Mon, 17 Mar 2025 09:01:00 +0000

The percentage of ICS computers on which malicious objects were blocked increased in eight regions. Regionally, the percentage ranged from 10.6% in Northern Europe to 31.0% in Africa.

Threat landscape for industrial automation systems. Q4 2024

Mon, 17 Mar 2025 09:00:00 +0000

The percentage of ICS computers on which malicious scripts and phishing pages as well as ransomware were blocked continued to increase.

Operation SalmonSlalom

Sun, 23 Feb 2025 21:00:00 +0000

Kaspersky discovered a new attack targeting industrial organizations in APAC

Q3 2024 – a brief overview of the main incidents in industrial cybersecurity

Wed, 19 Feb 2025 09:00:00 +0000

Many large companies, including some well-known brands, affected by cyberattacks. An unusually high number of victims were in critical sectors such as utilities and power and energy.

Threat predictions for industrial enterprises 2025

Wed, 29 Jan 2025 10:00:00 +0000

Kaspersky ICS CERT analyzes industrial threat trends and makes forecasts on how the industrial threat landscape will look in 2025.

APT and financial attacks on industrial organizations in Q3 2024

Thu, 26 Dec 2024 09:00:00 +0000

During the quarter, a number of research papers and technical advisories were published detailing attacks that either targeted or affected organizations in the industrial sector. From our perspective, the following are likely to be the most interesting for researchers and useful for cybersecurity practitioners

Threat landscape for industrial automation systems. Regions, Q3 2024

Wed, 25 Dec 2024 09:01:00 +0000

The percentage of ICS computers on which malicious objects were blocked decreased from the second quarter to 22%. But the figure increased in Africa, South Asia, South-East Asia, the Middle East, Latin America, and East Asia. Regionally, the percentage ranged from 9.7% in Northern Europe to 31.5% in Africa.

Threat landscape for industrial automation systems. Q3 2024

Wed, 25 Dec 2024 09:00:00 +0000

The percentage of ICS computers on which malicious objects were blocked decreased by 1.5 pp from the second quarter to 22%. The biometrics sector led the surveyed industries in terms of this parameter.

Threat landscape for industrial automation systems. Regions, Q2 2024

Thu, 21 Nov 2024 09:00:00 +0000

The global percentage of ICS computers on which malicious objects were blocked decreased from Q1 2024 to 23.5%. But the figure increased in four regions. Regionally, the percentage ranged from 11.3% in Northern Europe to 30% in Africa.

Q2 2024 – a brief overview of the main incidents in industrial cybersecurity

Fri, 08 Nov 2024 09:00:00 +0000

A total of 35 incidents were confirmed by victims. Half of the attacks reportedly resulted in the denial of IT systems and the denial of operations. There is a case of a company that was unable to recover from the impact of a cyberattack and decided to cease operations.

APT and financial attacks on industrial organizations in Q2 2024

Thu, 03 Oct 2024 09:00:00 +0000

This summary provides an overview of the reports of APT and financial attacks on industrial enterprises that were disclosed in Q2 2024, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities.

Threat landscape for industrial automation systems. Q2 2024

Thu, 26 Sep 2024 08:00:00 +0000

In the second quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.9 pp from the previous quarter to 23.5%. Compared to the second quarter of 2023, the percentage decreased by 3.3 pp.

Cinterion EHS5 3G UMTS/HSPA Module Research

Thu, 13 Jun 2024 10:00:00 +0000

In the course of the modem security analysis, we found seven locally exploited vulnerabilities and one remotely exploited vulnerability. The combination of these vulnerabilities could allow an attacker to completely get control over the modem.

APT and financial attacks on industrial organizations in Q1 2024

Mon, 10 Jun 2024 10:00:00 +0000

This summary provides an overview of the reports of APT and financial attacks on industrial enterprises, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities.

Q1 2024 – a brief overview of the main incidents in industrial cybersecurity

Mon, 03 Jun 2024 10:00:00 +0000

A total of 30 incidents were confirmed by victims. 37% of victims reported denial of operations or product shipment caused by the incident. Almost half of all incidents resulted in disruption of the victims’ public digital services.

Threat landscape for industrial automation systems. Q1 2024

Mon, 27 May 2024 10:01:00 +0000

In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 21.4%. Compared to the first quarter of 2023, the percentage decreased by 1.3 pp.

Threat landscape for industrial automation systems. Regions, Q1 2024

Mon, 27 May 2024 10:00:00 +0000

The percentage of ICS computers on which malicious objects were blocked during the quarter varied regionally from 34.2% in Africa to 11.5% in Northern Europe. Africa and South-East Asia saw their percentages increase from the previous quarter.

H2 2023 – a brief overview of main incidents in industrial cybersecurity

Thu, 11 Apr 2024 10:00:00 +0000

In this overview, we discuss cybercriminal and hacktivist attacks on industrial organizations.

APT and financial attacks on industrial organizations in H2 2023

Tue, 02 Apr 2024 10:00:00 +0000

An overview of reports of APT and financial attacks on industrial enterprises, as well as related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities

Industrial cybersecurity in 2024: trends and forecasts presented by Evgeny Goncharov, head of Kaspersky’s ICS CERT

Tue, 26 Mar 2024 09:39:50 +0000

As the industrial landscape evolves, so do the threats that accompany it. While many industrial threats may be developing slowly from year to year, subtle changes are reaching a critical mass, poised to reshape the cybersecurity landscape in the near future.

Threat landscape for industrial automation systems. Statistics for H2 2023

Tue, 19 Mar 2024 10:00:00 +0000

The statistical data presented in the report was received from ICS computers protected by Kaspersky products that Kaspersky ICS CERT categorizes as part of the industrial infrastructure at organizations.

Cybersecurity in the automotive industry: Ensuring compliance with UNECE regulations

Wed, 07 Feb 2024 10:00:00 +0000

What UN Regulations 155 and 156 require from vehicle manufacturers in reality, and how to ensure compliance with requirements and prepare for certification if necessary

ICS and OT threat predictions for 2024

Wed, 31 Jan 2024 10:00:00 +0000

Most of the described trends have been observed before. However, some of them have reached a critical mass of creeping changes, which could lead to a qualitative shift in the threat landscape

Telit Cinterion (Thales/Gemalto) modules. Exposure of Sensitive Information Through Environmental Variables

Thu, 09 Nov 2023 09:30:05 +0000

A CWE-526: Exposure of Sensitive Information Through Environmental Variables vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to get access to a sensitive data on the targeted system.

Telit Cinterion (Thales/Gemalto) modules. Exposure of Sensitive Information to an Unauthorized Actor

Thu, 09 Nov 2023 09:29:54 +0000

A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow an attacker with physical access to the target system to get access to a sensitive data on the targeted system.

Telit Cinterion (Thales/Gemalto) modules. Buffer Copy without Checking Size of Input vulnerability

Wed, 08 Nov 2023 13:10:26 +0000

A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists in Telit Cinterion EHS5/6/8 that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.

Telit Cinterion (Thales/Gemalto) modules. Improper Privilege Management vulnerability

Wed, 08 Nov 2023 13:10:19 +0000

A CWE-269: Improper Privilege Management vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to elevate privileges to “manufacturer” level on the targeted system.

Telit Cinterion (Thales/Gemalto) modules. Relative Path Traversal

Wed, 08 Nov 2023 13:10:11 +0000

A CWE-23: Relative Path Traversal vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to escape from virtual directories and get read/write access to protected files on the targeted system.

Telit Cinterion (Thales/Gemalto) modules. Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Wed, 08 Nov 2023 13:10:03 +0000

A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to disclose hidden virtual paths and file names on the targeted system.

Telit Cinterion (Thales/Gemalto) modules. Files or Directories Accessible to External Parties vulnerability

Wed, 08 Nov 2023 13:09:51 +0000

A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow an attacker with physical access to the target system to obtain a read/write access to any files and directories on the targeted system, including hidden files and directories.

Updated MATA attacks industrial companies in Eastern Europe

Wed, 18 Oct 2023 10:00:00 +0000

Kaspersky experts discovered several detections of malware from the MATA cluster, previously attributed to the Lazarus group, compromising defense contractor companies in Eastern Europe.

H1 2023 – a brief overview of main incidents in industrial cybersecurity

Thu, 05 Oct 2023 08:00:00 +0000

In this overview, we discuss cybercriminal and hacktivist attacks on industrial organizations.

APT and financial attacks on industrial organizations in H1 2023

Mon, 25 Sep 2023 08:00:00 +0000

Threat landscape for industrial automation systems. Statistics for H1 2023

Wed, 13 Sep 2023 09:00:00 +0000

Common TTPs of attacks against industrial organizations. Implants for uploading data

Thu, 10 Aug 2023 08:00:00 +0000

In this part we present information on the four types of implants and two tools used during the last (third) stage of the attacks discovered.

Common TTPs of attacks against industrial organizations. Implants for gathering data

Mon, 31 Jul 2023 08:00:00 +0000

This part of the research is devoted to second stage malware used to gather data on infected systems of industrial organizations.

Common TTPs of attacks against industrial organizations. Implants for remote access

Thu, 20 Jul 2023 08:00:00 +0000

In this article (which is the first part of the report) we analyze common TTPs of implants used by threat actors to establish a persistent remote access channel into the infrastructure of industrial organizations.

Why APTs are so successful – stories from IR trenches

Tue, 30 May 2023 08:00:00 +0000

During IR, while trying to figure out what went wrong, we’ve found numerous issues

APT attacks on industrial organizations in H2 2022

Fri, 24 Mar 2023 07:00:00 +0000

This summary provides an overview of APT attacks on industrial enterprises and activity of groups that have been observed attacking industrial organizations and critical infrastructure facilities.

H2 2022 – brief overview of main incidents in industrial cybersecurity

Wed, 15 Mar 2023 16:00:00 +0000

In this overview, we discuss cybercriminal and hacktivist attacks on industrial organizations.

Threat landscape for industrial automation systems. Statistics for H2 2022

Mon, 06 Mar 2023 10:00:00 +0000

Unusual penetration techniques – in the wild and in Red Team research

Mon, 12 Dec 2022 13:07:17 +0000

I would like to talk about some of the tricks and methods I have seen used to gain that all important initial access to remote systems. Specifically, the unexpected and unusual.

ICS cyberthreats in 2023 – what to expect

Tue, 22 Nov 2022 08:00:00 +0000

Cybersecurity incidents were plentiful in 2022, causing many problems for industrial infrastructure owners and operators. Below we share some of our thoughts on potential developments of 2023, though we cannot claim to be providing either a complete picture or a high degree of precision.

Digital twins and ensuring the cybersecurity of enterprises. Oil and gas industry

Thu, 20 Oct 2022 08:00:00 +0000

In modern technology-intensive production, IT and large-scale digitalization, and therefore new cybersecurity technologies, are essential to remaining competitive, reducing costs associated with maintaining the existing infrastructure, and increasing net profits.

WAGO 750 Controllers. Denial of service of the FTP server

Wed, 12 Oct 2022 10:09:32 +0000

Kaspersky Lab has discovered a denial-of-service vulnerability in the WAGO 750 controllers.

The secrets of Schneider Electric’s UMAS protocol

Thu, 29 Sep 2022 08:00:00 +0000

The UMAS protocol, in its implementation prior to the version in which the CVE-2021-22779 vulnerability was fixed, had significant shortcomings that had a critical effect on the security of control systems based on Schneider Electric controllers.

H1 2022 – a brief overview of the main incidents in industrial cybersecurity

Thu, 08 Sep 2022 08:01:00 +0000

Events in the cybersecurity world, including ICS, were intense in H1 2022.

Threat landscape for industrial automation systems. Statistics for H1 2022

Thu, 08 Sep 2022 08:00:00 +0000

Targeted attack on industrial enterprises and public institutions

Mon, 08 Aug 2022 08:00:00 +0000

The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions. The goal of this series of attacks was cyberespionage.

Dynamic analysis of firmware components in IoT devices

Wed, 06 Jul 2022 10:00:00 +0000

Firmware analysis is an essential part of security research and targeted search for vulnerabilities in IoT products. This article examines conventional methods of dynamic analysis and some less obvious methods.

Attacks on industrial control systems using ShadowPad

Mon, 27 Jun 2022 10:00:00 +0000

A previously unknown Chinese-speaking threat actor attacking telecommunications, manufacturing, and transport organizations in several Asian countries. The group exploits MS Exchange vulnerability to deploy ShadowPad malware and infiltrates building automation systems of one of the victims.

Draft of the NIST Guide #800-82 – what has changed

Tue, 24 May 2022 14:09:57 +0000

The release of the third version of the Guide to Operational Technology (OT) Security, SP 800-82 Rev. 3, is, without a doubt, a milestone. Is the third version as good as the previous ones? What has changed?

ISaPWN – research on the security of ISaGRAF Runtime

Mon, 23 May 2022 10:00:00 +0000

This report includes an analysis of the ISaGRAF framework, its architecture, the IXL and SNCP protocols and the description of several vulnerabilities the Kaspersky ICS CERT team had identified.

Schneider Electric EcoStruxure Control Expert / Process Expert, SCADAPack RemoteConnect for x70. Information leak from project file

Fri, 20 May 2022 10:56:03 +0000

Schneider Electric Modicon M340/M580 Authentication Bypass by Spoofing

Fri, 20 May 2022 10:29:11 +0000

Vulnerability in ICS: assessing the severity

Wed, 20 Apr 2022 12:00:00 +0000

On the last day of March 2022, Claroty (Team82) published an article on two vulnerabilities they had identified in Rockwell Automation products. We believe that the severity of these vulnerabilities has been significantly exaggerated. At the same time, the most dangerous vulnerability in the same products has remained unnoticed.

Vulnerabilities in Tekon-Automatics solution: (ir)responsible disclosure and scope of the problem

Thu, 31 Mar 2022 14:45:27 +0000

Researcher Jose Bertin described the exploitation of several vulnerabilities in a Tekon-Automatics automation solution. We analyze the real scope of what has happened and offer our take on whether this can be considered ethical vulnerability disclosure.

Kaspersky’s statement on the FIRST membership suspension

Mon, 28 Mar 2022 14:46:25 +0000

Kaspersky ICS CERT received a letter from FIRST, notifying that its membership has been temporarily suspended. Kaspersky is disappointed by this decision and believes that it hurts the international community of experts and the cybersecurity industry as a whole.

Threat landscape for industrial automation systems. Statistics for H2 2021

Thu, 03 Mar 2022 10:00:00 +0000

APT attacks on industrial companies in H2 2021

Mon, 28 Feb 2022 11:00:00 +0000

This summary provides an overview of APT attacks on industrial enterprises disclosed in H2 2021.

Bosch AMC2. Missing authentication for critical function

Thu, 20 Jan 2022 11:25:26 +0000

An unauthenticated attacker with the ability to communicate with the affected device via a broadcast address can perform administrative operations on it. It is possible to upload firmware and change the device's configuration.

Bosch AMC2. Information Disclosure due to Hard-coded Cryptographic Key

Thu, 20 Jan 2022 11:25:09 +0000

An attacker can capture and decrypt the communication between the configuration software and the affected devices, since a symmetric encryption algorithm with a fixed key is used to encrypt the communication. An attacker is able to decrypt captured data and encrypt their own crafted data to send to the device.

Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks

Wed, 19 Jan 2022 10:00:00 +0000

Targets of spyware attacks in which each malware sample has a limited-scope and a short lifetime include industrial enterprises. Victim organizations’ SMTP services are abused to send phishing emails and collect stolen data.

Log4Shell at industrial enterprises

Thu, 30 Dec 2021 11:11:00 +0000

Although it is still difficult to say to what extent vulnerable ICS systems are exposed to potential attacks, we hope that, unlike IT infrastructures, most vulnerable OT systems cannot accept inputs coming from untrusted sources.

TÜV Austria Academy will offer Kaspersky training courses

Wed, 22 Dec 2021 12:21:43 +0000

The cooperation between Kaspersky and the TÜV Austria Academy focuses on jointly implementing innovative certified training courses for specialists in information technology and industrial systems. The corresponding contract was signed at the end of November.

PseudoManuscrypt: a mass-scale spyware attack campaign

Thu, 16 Dec 2021 10:00:00 +0000

Kaspersky products blocked PseudoManuscrypt on more than 35,000 computers in 195 countries of the world. Targets of attacks include a significant number of industrial and government organizations, including enterprises in the military-industrial complex and research laboratories.

Kaspersky Industrial Cybersecurity Conference 2021

Thu, 02 Dec 2021 11:12:40 +0000

The 9th annual Kaspersky Industrial Cybersecurity Conference took place in Sochi on September 8-10.

Threats to ICS and industrial enterprises in 2022 as they are foreseen from November 2021

Tue, 23 Nov 2021 10:00:00 +0000

In recent years, we have observed various trends in the changing threat landscape for industrial enterprises, most of which have been evolving for some time. We can say with high confidence that many of these trends will not only continue, but gain new traction in the coming year.

APT attacks on industrial organizations in H1 2021

Tue, 26 Oct 2021 08:00:00 +0000

This summary provides an overview of APT attacks on industrial enterprises disclosed in H1 2021.

Threat landscape for industrial automation systems. Statistics for H1 2021

Thu, 09 Sep 2021 10:00:00 +0000

Rockwell Automation ISaGRAF Runtime: Information Disclosure due to cleartext storage of passwords in a file and memory

Tue, 13 Jul 2021 12:45:15 +0000

ISaGRAF Runtime stores the password in plaintext in memory and in a file which is located in the same directory with the executable file ISAGRAF.exe.

Rockwell Automation ISaGRAF Runtime: Information Disclosure due to Hard-coded Cryptographic Key

Tue, 13 Jul 2021 12:45:14 +0000

A remote attacker is able to decrypt passwords captured during a Man-in-the-Middle attack, because the affected software uses Tiny Encryption Algorithm (TEA) algorithm with fixed keys to encrypt transmitted passwords over ISaGRAF eXchange Layer* protocol.

Rockwell Automation ISaGRAF Runtime: Code Execution due to Uncontrolled Search Path Element

Tue, 13 Jul 2021 12:45:13 +0000

An attacker with write privileges in VirtualStore folder can perform arbitrary code execution by placing ".dll" files in affected software directory, because the software loads dynamic libraries in an uncontrolled way.

Rockwell Automation ISaGRAF Runtime: Information Disclosure due to Cleartext Transmission of Information over IXL protocol

Tue, 13 Jul 2021 12:45:00 +0000

A remote attacker is able to read and modify captured data during a Man-in-the-Middle attack, because the affected software uses ISaGRAF eXchange Layer* protocol, which is unencrypted by design.

Rockwell Automation ISaGRAF Runtime: Code Execution due to Relative Path Traversal

Tue, 13 Jul 2021 12:44:00 +0000

Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible to traverse the ISaGRAF Runtime application’s directory. Scope ⚠ Scope changed: it is possible to break out from the application’s []

Robert Bosch GmbH CPP HD/MP cameras. Denial of Service via GET HTTP request

Fri, 02 Jul 2021 12:14:12 +0000

Kaspersky ICS CERT discovered a Denial of Service of the device through GET HTTP request to the web server of camera.

Robert Bosch GmbH CPP HD/MP cameras. Improper Input Validation in Web service application

Fri, 02 Jul 2021 12:14:11 +0000

Kaspersky ICS CERT has discovered that the web service of the Robert Bosch GmbH CPP HD/MP cameras does not correctly parse the HTTP protocol. Scope Scope changed

Robert Bosch GmbH CPP HD/MP cameras. Reflected XSS in a page parameter

Fri, 02 Jul 2021 12:14:10 +0000

Kaspersky ICS CERT discovered a reflected XSS in a page parameter. Scope Scope changed

Robert Bosch GmbH CPP HD/MP cameras. Multiple reflected XSS in URI handlers

Fri, 02 Jul 2021 12:14:09 +0000

Kaspersky ICS CERT discovered multiple reflected XSS in URI handlers. Scope Scope changed

Robert Bosch GmbH CPP HD/MP cameras. Missing Authentication vulnerability for Critical Functions

Fri, 02 Jul 2021 12:14:00 +0000

Kaspersky ICS CERT has discovered missing authentication vulnerability for execution critical commands by HTTP requests.

DarkChronicles: the consequences of the Colonial Pipeline attack

Fri, 21 May 2021 16:41:38 +0000

This article began as an overview of the Colonial Pipeline incident. However, the events unfolded so rapidly that the scope of the publication has gone beyond a single incident.

Moxa NPort IA5000A Series. Cleartext Transmission of Sensitive Information via Moxa Service

Tue, 11 May 2021 16:45:00 +0000

Cleartext Transmission of Sensitive Information via Moxa Service in NPort IA5000A series serial devices.

Moxa NPort IA5000A Series. Using the Telnet service

Tue, 11 May 2021 16:40:00 +0000

The NPort devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.

Moxa NPort IA5000A Series. Passwords stored in plaintext

Tue, 11 May 2021 16:33:00 +0000

The result of exporting a device’s configuration contains the passwords of all users on the system and other sensitive data in the original form if “Pre-shared key” doesn’t set.

Moxa NPort IA5000A Series. Broken access control

Tue, 11 May 2021 16:26:00 +0000

By exploiting the vulnerability, a user with “Read Only” privilege level can send requests via the web console to have the device’s configuration changed. Scope Scope changed: the security of serial devices connected to NPort can be affected

Vulnerability in FortiGate VPN servers is exploited in Cring ransomware attacks

Wed, 07 Apr 2021 10:00:00 +0000

An incident investigation conducted by Kaspersky ICS CERT experts at one of the attacked enterprises revealed that attacks of the Cring ransomware exploit a vulnerability in FortiGate VPN servers.

Good old buffer overflow

Wed, 31 Mar 2021 10:35:03 +0000

CISA has issued an advisory on a Rockwell Automation MicroLogix 1400 buffer overflow vulnerability

Network Asset Traversal or NATural disaster: NAT Slipstreaming 2.0

Tue, 30 Mar 2021 08:47:32 +0000

NAT bypassing techniques recently published by researchers are particularly dangerous for OT networks of industrial enterprises

APT attacks on industrial companies in 2020

Mon, 29 Mar 2021 09:00:00 +0000

Overview of APT attacks on industrial enterprises information on which was published in 2020.

Threat landscape for industrial automation systems. Statistics for H2 2020

Thu, 25 Mar 2021 10:00:00 +0000

Threat landscape for the ICS engineering and integration sector. 2020

Wed, 17 Mar 2021 09:00:00 +0000

The threat landscape for computers in the ICS engineering and integration sector varies depending on a computer’s environment, including its geographical location, ability to access external networks and services, and user behavior.

More critical vulnerabilities identified in OPC protocol implementations

Thu, 04 Mar 2021 10:02:26 +0000

Solutions that use the OPC family of protocols are affected by multiple vulnerabilities that could lead to equipment failure, remote code execution or leaks of critical data

Authentication bypass in Rockwell Automation Logix controllers

Tue, 02 Mar 2021 10:24:00 +0000

Studio 5000 Logix Designer, RSLogix 5000 and Logix controllers use a hardcoded key to verify participants of communication.

Lazarus targets defense industry with ThreatNeedle

Thu, 25 Feb 2021 10:00:00 +0000

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Classics: vulnerabilities in web console and third-party components in Pepperl+Fuchs IO-Link-Master gateways

Tue, 09 Feb 2021 12:31:44 +0000

The vendor has published an advisory on vulnerabilities in multifunctional gateway devices designed to integrate different types of sensors and PLCs into industrial environments

Getting back on Treck: more vulnerabilities in the infamous TCP/IP Stack

Fri, 05 Feb 2021 10:01:45 +0000

Vulnerabilities have been identified in the IPv6 component in the Treck TCP/IP stack implementation. It is recommended that vendors of IoT devices using that implementation issue security advisories.

Much ado about the certificate: what one should know about Siemens SCALANCE X switch configuration to avoid MitM

Tue, 02 Feb 2021 11:31:40 +0000

Siemens has released a security alert which describes some cases of SCALANCE X-200/X-200IRT/X-300 switches using hardcoded encryption keys, making them prone to man-in-the-middle attacks

Cryptographic deadly sins and the security of Modicon M100/M200/M221

Thu, 28 Jan 2021 16:19:16 +0000

Weak implementation of cryptographic data protection allows various types of attacks and enables attackers to identify the key in captured traffic

From buffer overflow to switchboard setup errors: vulnerabilities in building operation software by Schneider Electric

Wed, 27 Jan 2021 10:21:36 +0000

Vulnerabilities in Schneider Electric’s low-voltage distribution system configuration software could enable attackers to upload arbitrary files defining electrical system parameters

Twentieth for Ripple20: Vulnerability in embedded web server of I/O expansion modules for IoT

Tue, 26 Jan 2021 12:32:36 +0000

Sсhneider Electric has published an advisory on a critical vulnerability in the web server used in TM3 I/O expansion modules

Critical vulnerability in Schneider Electric HMI configuration software

Tue, 26 Jan 2021 12:25:13 +0000

The vulnerability could cause a Windows local user privilege escalation when using EcoStruxure™ Operator Terminal Expert and Pro-face BLUE software and WinGP runtime environment by Schneider Electric.

A classic that needs updating: fresh vulnerabilities in the software of Siemens SCALANCE X switches

Tue, 26 Jan 2021 12:13:47 +0000

DoS vulnerabilities have been disclosed in the integrated web server of Siemens SCALANCE X-200 / X-200IRT / X-300 switches. Measures proposed by the vendor do not prevent all possible attacks.

SunBurst industrial victims

Tue, 26 Jan 2021 11:00:00 +0000

How many industrial organizations had installed backdoored SolarWinds versions? We present the results of our analysis.

ICS threat predictions for 2021

Wed, 02 Dec 2020 12:00:14 +0000

We present our vision of what challenges industrial cybersecurity will soon be (or already is) facing, and what to expect from cybercriminals in 2021.

Are industrial organizations a target for cybercriminals?

Tue, 01 Dec 2020 11:30:53 +0000

Kaspersky ICS CERT experts virtually provided ICS Training for Executives

Kaspersky ICS CERT goes virtual with the Deggendorf Institute of Technology!

Tue, 24 Nov 2020 08:58:17 +0000

Kaspersky’s mission incorporates education on all levels, including collaborations with universities. As part of this mission, we have been working with the Deggendorf Institute of Technology (DIT) for the past eighteen months.

First things first: Kaspersky ICS CERT becomes new member of the global Forum of Incident Response and Security Teams (FIRST)

Mon, 23 Nov 2020 10:59:10 +0000

After rigorous assessment, Kaspersky’s Industrial Systems Emergency Response Team (ICS CERT) has officially joined FIRST – the global Forum of Incident Response and Security Teams.

ENISA publishes guidelines for securing internet of things supply chain

Mon, 23 Nov 2020 10:13:30 +0000

The European Union Agency for Cybersecurity (ENISA) has published its guidelines for securing the internet of things supply chain. Kaspersky ICS CERT experts were among the contributors to the development effort.

Municipal services at Canadian City of Saint John down due to cyberattack

Wed, 18 Nov 2020 16:02:50 +0000

Attack by Ryuk ransomware disrupts nearly all municipal services in Canadian city of Saint John

Attacks on industrial enterprises using RMS and TeamViewer: new data

Thu, 05 Nov 2020 10:00:00 +0000

The attacks use remote administration utilities whose graphical user interface is hidden by the malware, enabling the attackers to control the infected system without the user’s knowledge.

Practical example of fuzzing OPC UA applications

Mon, 19 Oct 2020 08:00:00 +0000

We continue to describe our approaches to searching for vulnerabilities in industrial systems based on the OPC UA protocol. In this article, we examine new techniques that can be used to search for memory corruption vulnerabilities if the source code is available. We also discuss an example of fuzzing using libfuzzer.

What it feels like for a turbine

Tue, 13 Oct 2020 13:03:41 +0000

The goal of the article is to raise awareness on security of Distributed Control Systems (DCS), propose a methodology for assessment, and a remediation strategy. Defenders are always behind attackers, and this publication is trying to balance things out.

Session Information Exposure in ARC Informatique PcVue

Fri, 09 Oct 2020 15:07:00 +0000

An information exposure vulnerability exists in PcVue 12, allowing a non-authorized user to access session data of legitimate users.

Denial-of-Service in ARC Informatique PcVue

Fri, 09 Oct 2020 15:03:00 +0000

A Denial of service vulnerability exists in PcVue 12, due to the ability for a non-authorized user to modify information used to validate messages sent by legitimate web clients.

Remote Code Execution in ARC Informatique PcVue

Fri, 09 Oct 2020 14:59:00 +0000

An attacker with network access to the target workstation can send specially crafted packets with serialized data, which may cause remote code execution upon deserialization.

MontysThree: Industrial espionage with steganography and a Russian accent on both sides

Thu, 08 Oct 2020 10:00:00 +0000

In Summer 2020 we uncovered a previously unknown multi-module C++ toolset used in highly targeted industrial espionage attacks dating back to 2018.

Threat landscape for industrial automation systems. H1 2020

Thu, 24 Sep 2020 08:00:00 +0000

The percentage of computers attacked globally is decreasing. At the same time, threats are becoming more localized, more focused, and, as a result, more diverse and sophisticated.

The State of Industrial Cybersecurity 2020

Tue, 15 Sep 2020 11:00:00 +0000

In 2020 ARC Advisory Group on behalf of Kaspersky conducted a survey on the state of industrial cybersecurity, as well as the current priorities and challenges of industrial organizations. More than 330 industrial companies and organizations across the globe were surveyed online and 10 industry representatives were interviewed at trade fairs and ARC forums worldwide.

Cyberthreats for ICS in Energy in Europe. Q1 2020

Mon, 31 Aug 2020 10:00:00 +0000

In Q1 2020 in Europe, Kaspersky products were triggered on 20.4% of ICS computers in the energy sector. A total of 1,485 malware modifications from 633 different families were blocked.

Session token exposed in Honeywell ControlEdge PLC and RTU

Tue, 23 Jun 2020 10:31:00 +0000

Exposed session token in Honeywell ControlEdge PLC and RTU.

Unencypted password transmission in Honeywell ControlEdge PLC and RTU

Tue, 23 Jun 2020 10:28:00 +0000

Unencrypted password transmission on the network in Honeywell ControlEdge PLC and RTU.

Targeted attacks on industrial companies using Snake ransomware (updated)

Wed, 17 Jun 2020 16:51:23 +0000

According to Kaspersky ICS CERT data, a number of industrial companies are currently experiencing targeted attacks involving the Snake encryption ransomware.

Steganography in attacks on industrial enterprises (updated)

Wed, 17 Jun 2020 10:00:00 +0000

Kaspersky ICS CERT has identified a series of attacks targeting, among others, organizations in various industrial sectors. Victims include suppliers of equipment and software for industrial enterprises.

Multiple vulnerabilities in EcoStruxure Operator Terminal Expert

Thu, 28 May 2020 15:01:16 +0000

Vulnerabilities that can lead to unsanctioned account access or remote code execution.

Dangerous vulnerabilities in Emerson OpenEnterprise

Thu, 28 May 2020 15:00:42 +0000

Kaspersky ICS CERT has discovered vulnerabilities that may allow threat actors to modify configuration files, execute arbitrary code remotely or access user passwords.

Cyber incidents in industrial enterprises during the first half of May: Stadler, Elexon, BlueScope

Wed, 20 May 2020 10:23:26 +0000

Victims included a railway stock manufacturer, an electric utility company and a steel producer. One incident brought operations to a halt

Missing Authentication in Emerson OpenEnterprise SCADA before 3.3.4

Wed, 20 May 2020 09:12:00 +0000

Missing Authentication in Emerson OpenEnterprise SCADA versions before 3.3.4 might lead to arbitrary code execution. The affected components may allow an attacker to run an arbitrary commands with system privileges or perform remote code execution via a specific communication service.

Inadequate Encryption Strength in Emerson OpenEnterprise SCADA before 3.3.4

Wed, 20 May 2020 09:09:00 +0000

Inadequate Encryption Strength in Emerson OpenEnterprise SCADA versions before 3.3.4.

Improper Ownership Management in Emerson OpenEnterprise SCADA before 3.3.4

Wed, 20 May 2020 09:06:00 +0000

Improper Ownership Management in Emerson OpenEnterprise SCADA versions before 3.3.4.

Overview of recommendations on organizing secure remote work for critical infrastructure and other facilities

Thu, 30 Apr 2020 17:14:50 +0000

Do security issues associated with working remotely affect critical infrastructure enterprises? Should organizations take additional protective measures? A view of regulators in the area of information security.

Multiple vulnerabilities in ABB 800xA DCS

Thu, 30 Apr 2020 08:50:11 +0000

The vulnerabilities could allow attackers to remotely compromise hosts, cause denial-of-service conditions or elevate their privileges

Targeted attacks on Israeli water supply and wastewater treatment facilities

Tue, 28 Apr 2020 21:11:24 +0000

Israeli authorities have warned of possible attacks on SCADA systems of wastewater treatment, water pumping and sewerage facilities

Malicious campaigns against Azerbaijan’s government and industrial organizations

Fri, 24 Apr 2020 12:20:47 +0000

The attackers use PoetRAT, a new RAT Trojan distributed via Microsoft Word documents

Threat landscape for industrial automation systems. Overall global statistics – H2 2019

Fri, 24 Apr 2020 08:04:00 +0000

Threat landscape for industrial automation systems. Ransomware and other malware: key events of H2 2019

Fri, 24 Apr 2020 08:03:00 +0000

This section presents an overview of threats related to ransomware activity against municipal institutions, industrial enterprises and critical infrastructure facilities.

Threat landscape for industrial automation systems. APT attacks on industrial companies in 2019

Fri, 24 Apr 2020 08:02:00 +0000

Overview of APT attacks on industrial enterprises information on which was published in 2019.

Threat landscape for industrial automation systems. Vulnerabilities identified in 2019

Fri, 24 Apr 2020 08:01:00 +0000

The analysis of vulnerabilities was performed based on vendor advisories, publicly available information from open vulnerability databases (US ICS-CERT, CVE, Siemens Product CERT), as well as the results of Kaspersky ICS CERT’s own research.

Threat landscape for industrial automation systems. 2019 Report at a glance

Fri, 24 Apr 2020 08:00:00 +0000

Malicious objects were blocked on 46.6% and ransomware on 1.0% of ICS computers. Kaspersky ICS CERT identified 103 vulnerabilities in industrial systems, IIoT/IoT systems, and other types of solutions.

Dozens of Siemens industrial devices are affected by DoS vulnerabilities

Fri, 17 Apr 2020 19:01:24 +0000

Siemens industrial solutions are affected by SegmentSmack and FragmentSmack vulnerabilities, which could lead to device denial of service

New ransomware attacks on industrial enterprises

Fri, 17 Apr 2020 16:20:31 +0000

In new ransomware attacks, victims face the choice between paying the ransom and seeing their sensitive data published by the attackers

Multiple vulnerabilities in Advantech WebAccess/NMS

Mon, 13 Apr 2020 14:12:06 +0000

If exploited, the vulnerabilities could lead to arbitrary code execution, file manipulations, denial of service and the creation of an admin account

Threat actor behind Ruyk malware continues attacks on medical facilities despite epidemic

Fri, 03 Apr 2020 12:37:39 +0000

In the past month, 10 more hospitals have fallen victim to Ryuk attacks in the US

WildPressure targets industrial-related entities in the Middle East

Thu, 26 Mar 2020 13:13:42 +0000

We found just three almost unique samples, all in one country. So we consider the attacks to be targeted and have currently named this operation WildPressure.

Remote Code Execution on LibVNC version prior to 0.9.12

Mon, 23 Mar 2020 12:20:00 +0000

LibVNC client code contains heap buffer overflow vulnerability in commit prior to 6073771eed1caf72f196e410182471e0dfd32149. This could possible result into remote code execution. This attack appear to be exploitable via network connectivity. The issue has been fixed in commit 54220248886b5001fbbb9fa73c4e1a2cb9413fed.

Remote Code Execution on TigerVNC version prior to 1.10.1

Mon, 23 Mar 2020 12:18:00 +0000

TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack []

Remote Code Execution on TigerVNC version prior to 1.10.1

Mon, 23 Mar 2020 12:15:00 +0000

TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which occurs in TightDecoder::FilterGradient. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

Remote Code Execution on TigerVNC version prior to 1.10.1

Mon, 23 Mar 2020 12:10:00 +0000

TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow. Vulnerability could be triggered from CopyRectDecoder due to incorrect value checks. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

Remote Code Execution on TigerVNC version prior to 1.10.1

Mon, 23 Mar 2020 12:08:00 +0000

TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote []

Remote Code Execution on TigerVNC version prior to 1.10.1

Mon, 23 Mar 2020 12:07:00 +0000

TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which could be triggered from DecodeManager::decodeRect. Vulnerability occurs due to the signdness error in processing MemOutStream. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

Remote Code Execution on Emerson OpenEnterprise SCADA Server version 2.83 and all versions of OpenEnterprise 3.1 through 3.3.3

Mon, 23 Mar 2020 12:01:00 +0000

A Heap-based Buffer Overflow was found in Emerson OpenEnterprise SCADA Server version 2.83 (if Modbus or ROC Interfaces have been installed and are in use) and all versions of OpenEnterprise 3.1 through 3.3.3, where a specially crafted script could execute code on the OpenEnterprise Server.

XXE on Moxa’s cellular management software OnCell Central Manager Version lower than 2.4.1

Mon, 16 Mar 2020 11:01:00 +0000

Moxa’s cellular management software OnCell Central Manager Version lower than 2.4.1 was affected to XML External Entity (XXE) due to vulnerable third-party component usage (Apache Flex BlazeDS).

Remote Code Execution on Moxa’s cellular management software OnCell Central Manager Version lower than 2.4.1

Mon, 16 Mar 2020 10:52:00 +0000

Moxa’s cellular management software OnCell Central Manager Version lower than 2.4.1 was affected to Remote Code Execution due to vulnerable third-party component usage (Apache Flex BlazeDS).

Kaspersky conducts ICS digital forensics and incident response training course in China

Thu, 30 Jan 2020 10:53:55 +0000

Beijing, 23-27 December 2019: Kaspersky ICS CERT together with the China Industrial Control Systems Cyber Emergency Response Team (CIC) conducted a training course on digital forensics and incident response in industrial control systems.

Ransomware attack on Picanol paralyzes production at plants in Belgium, Romania, and China

Fri, 17 Jan 2020 15:03:12 +0000

The company has been forced to stop its operations almost completely. Production recovery will take at least a week

Dustman wiper attack on Bapco oil company

Fri, 10 Jan 2020 10:40:12 +0000

Dustman is an upgraded version of the ZeroCleare wiper. The attack exploited a vulnerability in VPN appliances

Ryuk ransomware attacks unnamed US maritime transportation facility

Mon, 30 Dec 2019 15:51:27 +0000

The infection affected the facility’s corporate network and industrial control systems that control cargo transfer. The primary operations of the facility were shut down for over 30 hours

German cities under attack by Emotet botnet

Tue, 24 Dec 2019 11:34:53 +0000

Emotet was distributed via phishing emails and was used to deploy ransomware

Multiple vulnerabilities in WAGO PLCs

Fri, 20 Dec 2019 16:42:24 +0000

Nine vulnerabilities have been identified in WAGO PFC200 and PFC100 PLCs. They could lead to arbitrary code execution or cause denial of service

More ransomware attacks

Fri, 20 Dec 2019 10:38:50 +0000

Victims of the latest attacks include Pensacola and New Orleans city administrations in the US and a hospital in Benešov (Czech Republic)

Multiple vulnerabilities in Modicon controllers

Thu, 19 Dec 2019 15:19:38 +0000

If exploited, the vulnerabilities could result in denial of service. They can be fixed by updating device firmware

Multiple vulnerabilities in SPPA-T3000 components

Wed, 18 Dec 2019 10:42:23 +0000

Vulnerabilities have been identified in SPPA-T3000 Application Server and MS3000 Migration Server. Some of the faults are critical and could allow attackers to execute arbitrary code on the server

Multiple vulnerabilities in Siemens products

Tue, 17 Dec 2019 15:21:30 +0000

Vulnerable solutions include SiNVR 3, XHQ Operations Intelligence, RUGGEDCOM ROS, and Siemens EN100

Biometric data processing and storage system threats

Mon, 02 Dec 2019 15:00:02 +0000

The findings of our research can be used to make a more objective assessment of risks associated with using modern biometric authentication systems.

Applied industrial cybersecurity by Kaspersky at the Deggendorf Institute of Technology

Mon, 25 Nov 2019 14:26:00 +0000

October 14 and 15, 2019, Kaspersky ICS CERT experts provided an exclusive two-day training program on applied industrial cybersecurity at the Deggendorf Institute of Technology (DIT) for graduate students specializing in cybersecurity, as well as for 30 students from various DIT courses.

VNC vulnerability research

Fri, 22 Nov 2019 10:00:53 +0000

Findings of research on different implementations of the VNC remote access system. Memory corruption vulnerabilities were found, some of which, if exploited, could lead to remote code execution.

7th Kaspersky Industrial Cybersecurity Conference

Fri, 01 Nov 2019 12:46:42 +0000

Kaspersky’s seventh international conference dedicated to industrial cybersecurity took place on September 18-20 in Sochi, Russia.

A denial-of-service condition in RDesktop before 1.8.5

Wed, 30 Oct 2019 12:00:00 +0000

Rdesktop before version 1.8.5 contains multiple out-of-bound access read vulnerabilities in its code, which results in a denial-of-service (DoS) condition. This attack appear to be exploitable via network connectivity. These issues have been fixed in version 1.8.5.

Vulnerability in Cisco IOS and IOS XE affecting industrial routers

Tue, 01 Oct 2019 16:39:57 +0000

Affected devices include Cisco 800 Series industrial routers and Cisco 1000 Series Connected Grid Routers (CGR 1000)

Cyberattack on Rheinmetall technology group

Tue, 01 Oct 2019 15:15:29 +0000

A malware attack has disrupted production at Rheinmetall Group plants in three countries. The company expects it to take 2 to 4 weeks to eliminate the disruption

Threat landscape for industrial automation systems, H1 2019

Mon, 30 Sep 2019 10:00:38 +0000

Descriptions of dangerous threats, our findings from analyzing statistics on blocked threats, and possible vectors of malware penetration of ICS computers.

Threat landscape for smart buildings. H1 2019 in brief

Thu, 19 Sep 2019 12:11:47 +0000

What threats are relevant to building automation systems and what malware their owners have encountered in the first six months of 2019.

Security research: CODESYS Runtime, a PLC control framework. Part 3

Wed, 18 Sep 2019 10:01:04 +0000

This article continues the discussion of research on popular OEM technologies that are implemented in the products of a large number of vendors. Vulnerabilities in such technologies are highly likely to affect the security of many, if not all, products that use them. In some cases, this means hundreds of products that are used in industrial environments and in critical infrastructure facilities. This is the case with CODESYS Runtime, a framework by CODESYS designed for developing and executing industrial control system software.

Security research: CODESYS Runtime, a PLC control framework. Part 2

Wed, 18 Sep 2019 10:00:21 +0000

Security research: CODESYS Runtime, a PLC control framework. Part 1

Wed, 18 Sep 2019 09:59:03 +0000

Multiple vulnerabilities identified in Red Lion Controls Crimson software

Wed, 11 Sep 2019 16:03:03 +0000

Successful exploitation of the vulnerabilities could allow an attacker to execute arbitrary code, crash the device or view protected data

Software vulnerabilities in EZ Touch Editor and EZ PLC Editor

Wed, 11 Sep 2019 14:57:08 +0000

Exploitation of the vulnerabilities could lead to remote code execution

State of Industrial Cybersecurity: survey by Kaspersky and ARC Advisory Group

Thu, 29 Aug 2019 14:42:44 +0000

ARC Advisory Group and Kaspersky have presented a survey on the state of industrial cybersecurity in 2019

Industrial Internet Consortium will support Kaspersky Industrial Cybersecurity Conference 2019 as Association Partner

Fri, 16 Aug 2019 15:57:38 +0000

Industrial Internet Consortium will take part in the Kaspersky Industrial Cybersecurity Conference 2019 in Sochi as an Association Partner. Don't miss the IIC delegate's presentation!

The internet of things security maturity model: a nudge for IoT cybersecurity

Wed, 14 Aug 2019 09:00:36 +0000

The purpose of the IoT Security Maturity Model (IoT SMM) is to help choose protection measures against cyberthreats that correspond to the company’s actual business needs.

CODESYS V3 Password transmission vulnerability

Tue, 13 Aug 2019 15:17:00 +0000

The CODESYS Control runtime system enables embedded or PC-based devices to be a programmable industrial controller. The CODESYS Control runtime system provides several security features. To limit the access to the programming port, it allows defining users with individual passwords or also to configure a role based user management with graded access rights and multiple []

Vulnerabilities fixed in Mitsubishi Electric FR Configurator2

Fri, 26 Jul 2019 16:33:02 +0000

The vulnerabilities could allow an attacker to read arbitrary files or cause a denial-of-service condition

Dangerous vulnerabilities in Siemens TIA Administrator, SIMATIC WinCC and PCS7

Tue, 16 Jul 2019 16:36:24 +0000

Vulnerabilities can lead to a denial-of-service condition and command execution without proper authentication

Dangerous vulnerability in the IGSS system

Tue, 16 Jul 2019 16:16:32 +0000

The vulnerability could allow an attacker to force the software to crash or to execute arbitrary code

Multiple vulnerabilities in Schneider Electric Floating License Manager

Tue, 16 Jul 2019 15:56:00 +0000

In addition to Schneider Electric, security issues affect products from AVEVA Vijeo Citect and Citect SCADA

New vulnerability in Schneider Electric Modicon PLCs

Tue, 09 Jul 2019 15:41:40 +0000

The vulnerability is due to an improper check for unusual or exceptional conditions and could lead to denial of service

How we hacked our colleague’s smart home, or morning drum bass

Mon, 01 Jul 2019 10:00:29 +0000

In this article, we publish the results of our study of the Fibaro Home Center smart home. We identified vulnerabilities in Fibaro Home Center 2 and Fibaro Home Center Lite version 4.540, as well as vulnerabilities in the online API.

Multiple vulnerabilities in ABB HMI solutions

Fri, 28 Jun 2019 17:29:40 +0000

The vulnerabilities affect CP635 and CP651 control panels and PB610 Panel Builder 600

Critical vulnerability in SICK MSC800 PLC

Fri, 28 Jun 2019 14:40:29 +0000

The vulnerability is caused by the use of hard-coded credentials

Multiple vulnerabilities in Advantech WebAccess/SCADA

Fri, 28 Jun 2019 13:45:49 +0000

The vulnerabilities could lead to the disclosure of important information, deletion of files and remote code execution

Vulnerabilities in Phoenix Contact’s Automation Worx Software Suite

Mon, 24 Jun 2019 15:18:57 +0000

Successful exploitations of the vulnerabilities could lead to remote execution of arbitrary code

Critical vulnerabilities in WAGO industrial switches

Mon, 17 Jun 2019 15:33:36 +0000

Exploitation of the vulnerabilities could allow a remote compromise of the managed switch, resulting in disruption of communication and root access to the operating system

Ransomware disrupts production at four ASCO Industries plants

Fri, 14 Jun 2019 15:40:38 +0000

A ransomware attack has caused ASCO plants in Belgium, Germany, Canada and the US to suspend their operations. 1000 employees have been placed on a one-week leave

Dangerous vulnerabilities identified in Phoenix Contact industrial switches and controllers

Tue, 11 Jun 2019 16:53:45 +0000

The vulnerabilities allow attackers to gain unauthorized access to device configuration, decrypt passwords, cause denial of service, or bypass authentication

Dangerous vulnerability fixed in Cisco Industrial Network Director

Tue, 11 Jun 2019 16:19:24 +0000

The vulnerability could be used by an authenticated, remote attacker to execute arbitrary code on devices running vulnerable software

Multiple vulnerabilities in Optergy Proton/Enterprise building management system

Mon, 10 Jun 2019 14:21:15 +0000

If successfully exploited, the vulnerabilities could allow an attacker to execute code remotely and gain full system access

Hasplm cookie without HTTPOnly attribute

Wed, 05 Jun 2019 13:46:00 +0000

Hasplm cookie does not have a HTTPOnly attribute.

Gemalto Admin Control Center uses cleartext communication with www3.safenet-inc.com

Wed, 05 Jun 2019 13:43:00 +0000

Gemalto Admin Control Center, all versions prior to 7.92, uses cleartext HTTP to communicate with www3.safenet-inc.com to obtain language packs.

Critical vulnerabilities identified by Kaspersky Lab have been corrected in Siemens SIMATIC WinCC and SIMATIC PCS 7

Mon, 20 May 2019 09:06:19 +0000

Multiple vulnerabilities could lead to arbitrary code and command execution on a target system and a denial-of-service condition

Remote Code Execution Vulnerability in Siemens SIMATIC WinCC and SIMATIC PCS 7

Thu, 16 May 2019 10:32:00 +0000

An attacker with network access to affected installations, which are configured without “Encrypted Communication”, can execute arbitrary code. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected installation. No user interaction is required to exploit this security vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the device.

Siemens WinCC local denial of service

Thu, 16 May 2019 10:31:00 +0000

An attacker with local access to the project file could cause a Denial-of-Service condition on the affected product while the project file is loaded. Successful exploitation requires access to the project file. An attacker could use the vulnerability to compromise availability of the affected system.

Siemens SIMATIC WinCC and SIMATIC PCS 7 remote code execution using specially crafted project files

Thu, 16 May 2019 10:27:00 +0000

An attacker with access to the project file could run arbitrary system commands with the privileges of the local database server. The vulnerability could be exploited by an attacker with access to the project file. The vulnerability does impact the confidentiality, integrity, and availability of the affected system.

Kaspersky Industrial CTF 2019 Finals Results

Mon, 29 Apr 2019 10:33:31 +0000

The finals of the Kaspersky Industrial CTF, an industrial cybersecurity contest, were just held in Singapore. The winner is the LC/BC team from Russia

Cybersecurity Insight – MIT workshops in partnership with Kaspersky Lab

Fri, 05 Apr 2019 08:49:01 +0000

MIT held Cybersecurity Insight, providing presentations, practical workshops and an ICS CTF in partnership with Kaspersky Lab

Threat landscape for industrial automation systems. H2 2018

Wed, 27 Mar 2019 10:00:53 +0000

Main events of the six-month period, vulnerabilities identified in 2018, relevant threats, and statistics from ICS computers protected by Kaspersky products.

Metallurgical giant Norsk Hydro attacked by encrypting malware

Fri, 22 Mar 2019 15:43:06 +0000

On March 19 2019 Norsk Hydro, one of the world’s largest aluminum producers revealed that ransomware had been used in an attack against them.

UltraVNC Improper Initialization

Fri, 01 Mar 2019 14:53:00 +0000

UltraVNC before 1.2.2.4 contains multiple memory leaks (CWE-665) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure.

UltraVNC Stack-based Buffer Overflow

Fri, 01 Mar 2019 14:52:08 +0000

UltraVNC before 1.2.2.4 has a stack buffer overflow vulnerability in VNC server code inside file transfer request handler, which can result in denial-of-service (DoS) condition.

UltraVNC Improper Null Termination

Fri, 01 Mar 2019 14:52:00 +0000

UltraVNC before 1.2.2.4 has a multiple improper null termination vulnerabilities in VNC server code, which result out-of-bound data being access by remote user.

UltraVNC Heap-based Buffer Overflow

Fri, 01 Mar 2019 14:51:07 +0000

UltraVNC before 1.2.2.4 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer handler, which can potentially result in code execution.

UltraVNC Heap-based Buffer Overflow

Fri, 01 Mar 2019 14:51:00 +0000

UltraVNC before 1.2.2.4 has a heap buffer overflow vulnerability in VNC server code inside file transfer request handler, which can potentially result in code execution.

UltraVNC Off-by-one Error

Fri, 01 Mar 2019 14:50:06 +0000

UltraVNC before 1.2.2.4 has a multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code execution.

UltraVNC Heap-based Buffer Overflow

Fri, 01 Mar 2019 14:50:00 +0000

UltraVNC before 1.2.2.4 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which can potentially result in code execution.

UltraVNC Out-of-bounds Read

Fri, 01 Mar 2019 14:49:00 +0000

UltraVNC before 1.2.2.4 has out-of-bounds read vulnerability in VNC client code inside Ultra decoder, which results in a denial-of-service (DoS) condition of VNC client.

UltraVNC Stack-based Buffer Overflow

Fri, 01 Mar 2019 14:48:05 +0000

UltraVNC before 1.2.2.4 has stack-based Buffer overflow vulnerability in VNC client code inside FileTransfer module, which leads to a denial-of-service (DoS) condition of VNC client.

UltraVNC Off-by-one Error

Fri, 01 Mar 2019 14:48:00 +0000

UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC client code connected with improper usage of ClientConnection::ReadString function, which can potentially result code execution. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1207.

UltraVNC Out-of-bounds Read

Fri, 01 Mar 2019 14:47:00 +0000

UltraVNC before 1.2.2.4 has out-of-bounds read vulnerability in VNC client code inside TextChat module, which results in a denial-of-service (DoS) condition.

UltraVNC Access of Memory Location After End of Buffer

Fri, 01 Mar 2019 14:46:04 +0000

UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of ClientConnection::Copybuffer function in VNC client code, which can potentially result code execution. This attack appear to be exploitable via network connectivity. User interaction is required to trigger these vulnerabilities. These vulnerabilities have been fixed in revision 1208.

UltraVNC Access of Memory Location After End of Buffer

Fri, 01 Mar 2019 14:46:00 +0000

UltraVNC revision 1207 has multiple out-of-bounds access vulnerabilities connected with improper usage of SETPIXELS macro in VNC client code, which can potentially result code execution. This attack appear to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1208.

UltraVNC Access of Memory Location After End of Buffer

Fri, 01 Mar 2019 14:45:00 +0000

UltraVNC before 1.2.2.4 has out-of-bounds access vulnerability in VNC client inside Ultra2 decoder, which can potentially result in code execution.

UltraVNC Stack-based Buffer Overflow

Fri, 01 Mar 2019 14:44:03 +0000

UltraVNC before 1.2.2.4 has stack-based buffer overflow vulnerability in VNC client code inside ShowConnInfo routine, which leads to a denial-of-service (DoS) condition of VNC client.

UltraVNC Access of Memory Location After End of Buffer

Fri, 01 Mar 2019 14:44:00 +0000

An attacker controlling a device with the UltraVNC Server running can perform remote code execution on the client devices to cause a denial-of-service condition, modify system's and/or obtain sensitive information.

UltraVNC Heap-based Buffer Overflow

Fri, 01 Mar 2019 14:43:00 +0000

UltraVNC before 1.2.2.4 has multiple heap buffer overflow vulnerabilities in VNC client code inside Ultra decoder, which results in code execution.

UltraVNC Out-of-bound Read

Fri, 01 Mar 2019 14:42:00 +0000

UltraVNC Viewer before 1.2.2.4 has an out-of-bounds read vulnerability inside client CoRRE decoder, caused by multiplication overflow.

UltraVNC Out-of-bound Read

Fri, 01 Mar 2019 14:41:02 +0000

UltraVNC Viewer before 1.2.2.4 has a out-of-bounds read vulnerability in RRE decoder code, caused by multiplication overflow.

UltraVNC Memory Leak

Fri, 01 Mar 2019 14:41:00 +0000

UltraVNC revision 1198 contains multiple memory leaks (CWE-655) in VNC client code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. These vulnerabilities have been []

UltraVNC Heap-based Buffer Overflow

Fri, 01 Mar 2019 14:38:00 +0000

UltraVNC Buffer Underwrite

Fri, 01 Mar 2019 14:36:00 +0000

UltraVNC Viewer before 1.2.2.4 has a buffer underflow vulnerability, which can potentially result in code execution.

AVEA Wonderware System Platform Vulnerability – Unauthorized Access to Credentials

Fri, 01 Mar 2019 14:35:00 +0000

AVEVA Wonderware System Platform vulnerability leading to Unauthorized Access to Credentials.

DeltaV Authentication Bypass

Fri, 01 Mar 2019 14:33:00 +0000

An attacker with network access to the affected distributed control system (DCS) workstation can bypass the authentication of a maintenance port via brute-force, because number of login attempts is not limited. Having access to a maintenance port, the attacker can cause a denial-of-service condition.

Kaspersky Lab has taken part in S4x19 Industrial Cybersecurity Conference

Thu, 31 Jan 2019 14:47:06 +0000

Kaspersky Lab presented its latest findings on CoDeSys Runtime vulnerabilities at the S4x19 conference, in what was a successful debut among competing industrial cybersecurity vendors

GreyEnergy’s overlap with Zebrocy

Thu, 24 Jan 2019 09:00:06 +0000

Zebrocy is the name given to a subset of the Sofacy group (aka Fancy Bear, Sednit, APT28, Tsar Team, etc.). GreyEnergy and Zebrocy used the same servers at the same time and attacked the same organization.

Security research: ThingsPro Suite – IIoT gateway and device manager by Moxa

Tue, 22 Jan 2019 10:00:12 +0000

The security of products such as IIoT requires special attention. This time, the subject of our research was the ThingsPro Suite, an IIoT gateway and device manager from Moxa.

Kaspersky Lab Joins Cybersecurity at MIT Sloan for Third Annual Academic Seminar

Fri, 18 Jan 2019 10:18:04 +0000

Kaspersky Lab today announced it is working with the Cybersecurity at MIT Sloan Consortium (CAMS) to host the “Cybersecurity Insight” seminar, offering participants an opportunity to learn about current cybersecurity technologies, trends, and management practices. The event is open to the broad MIT community during MIT’s Independent Activities Period (IAP) from January 22 – 25.

Challenges of industrial cybersecurity

Thu, 17 Jan 2019 10:00:26 +0000

Factors that have a significant effect, now and going forward, on the threat landscape, on the development, implementation, and use of organizational and technical measures to protect industrial facilities, and the main issues associated with ensuring the cybersecurity of industrial enterprises.

Vulnerabilities in Schneider Electric industrial solutions

Tue, 15 Jan 2019 10:10:49 +0000

Critical and severe vulnerabilities have been identified in GP-Pro EX programming environment, Zelio Soft software and IIoT Monitor platform

CodeSYS Control V3 Use of Insufficiently Random Values

Wed, 19 Dec 2018 20:10:00 +0000

CODESYS communication servers use insufficiently random values.

CodeSYS Control V3 Improper Communication Address Filtering

Wed, 19 Dec 2018 20:07:00 +0000

CODESYS routing protocol may disguise the source of crafted communication packets.

CodeSYS Control V3 Access Control Inactive by Default

Wed, 19 Dec 2018 20:04:00 +0000

Neither communication encryption nor user authentication is activated by default, but must be activated by the user.

LibVNC NULL Pointer Dereference

Wed, 19 Dec 2018 10:16:00 +0000

LibVNCServer before a 0.9.12 release contains a null pointer dereference in VNC client code, which can result in denial-of-service condition.

LibVNC Memory leak

Wed, 19 Dec 2018 10:14:00 +0000

LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains a CWE-665: Improper Initialization vulnerability in VNC Repeater client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. This vulnerability has been fixed in 8b06f835e259652b0ff026898014fc7297ade858 and later.

LibVNC Multiple Memory Leaks

Wed, 19 Dec 2018 10:13:00 +0000

LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple CWE-665: Improper Initialization weaknesses in VNC client code, which could allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and bypass ASLR. This vulnerability has been fixed in 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 and later.

LibVNC Infinite Loop

Wed, 19 Dec 2018 10:11:00 +0000

LibVNCServer before a 0.9.12 release contains a CWE-835: Infinite Loop vulnerability in VNC client code. The vulnerability could allow an attacker to consume an excessive amount of resources, such as CPU and RAM.

LibVNC Heap Out-of-Bound Write

Wed, 19 Dec 2018 10:10:00 +0000

LibVNCServer before a 0.9.12 release contains a heap out-of-bound write vulnerability in a structure in VNC client code, which can result in remote code execution.

LibVNC Multiple Heap Out-of-Bound Vulnerabilities

Wed, 19 Dec 2018 10:08:00 +0000

LibVNCServer before a 0.9.12 release contains multiple heap out-of-bound write vulnerabilities in VNC client code, which can result in remote code execution.

LibVNC Heap Out-of-Bound Write

Wed, 19 Dec 2018 10:05:00 +0000

LibVNCServer before a 0.9.12 release contains a heap out-of-bound write vulnerability in the server code of the file transfer extension, which can result in remote code execution.

LibVNC Heap Use-After-Free

Wed, 19 Dec 2018 10:03:00 +0000

LibVNCServer before a 0.9.12 release contains a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution.

LibVNC Heap Use-After-Free

Wed, 19 Dec 2018 10:02:00 +0000

LibVNCServer before a 0.9.12 release contains a heap use-after-free vulnerability in the server code of the file transfer extension, which can result in remote code execution.

Critical vulnerabilities in Siemens SINUMERIK controllers

Fri, 14 Dec 2018 15:56:08 +0000

Exploitation of vulnerabilities in Siemens SINUMERIK controllers cold allow remote code execution, privilege escalation and device denial-of-service conditions

Kaspersky Lab and Fraunhofer IOSB conduct another joint training

Fri, 14 Dec 2018 10:16:56 +0000

Another two-day course “Advanced Industrial Cybersecurity in Practice” was held in Germany. The course included theoretical sections followed by live demonstrations and exercises. An international group of participants left positive feedback

IoT Security in the ‘Smart Manufacturing’ world: a new study by ENISA

Tue, 11 Dec 2018 08:00:46 +0000

ENISA has released a new study: “Good Practices for Security of Internet of Things in the context of Smart Manufacturing. Kaspersky Lab ICS CERT experts contributed to the study.

General Electric Proficy GDS XML eXternal Entity (XXE)

Fri, 07 Dec 2018 13:18:00 +0000

An XXE injection vulnerability leads to path traversal inside the Proficy server. An attacker may be able to initiate an OPC UA session and retrieve an arbitrary file from the target system.

Kaspersky Industrial CTF 2018 Qualifications Results

Thu, 29 Nov 2018 11:54:27 +0000

The online qualifications round for Kaspersky Industrial CTF 2018 took place on November 23-24. Over 1,000 teams registered with 130 eventually scoring points. The top 4 teams will participate in the finals

Kaspersky Lab ICS CERT Hands-on: IoT vulnerability research and exploitation training

Tue, 27 Nov 2018 11:07:44 +0000

Kaspersky Lab ICS CERT is conducting a practical course in IoT vulnerability research. This class provides a deep dive into hardware analysis, firmware extraction and analysis, vulnerability research and exploitation.

Critical vulnerability in Modicon M221 PLC

Fri, 23 Nov 2018 15:10:17 +0000

A critical vulnerability in Modicon M221 PLC could allow attackers to intercept traffic by remotely changing IPv4 parameters

RATs - are they Useful or Dangerous for your ICS

Mon, 19 Nov 2018 10:47:52 +0000

In October 2018, Vyacheslav Kopeytsev, Security Researcher, Critical Infrastructure Threat Analysis, spoke at MALCON 2018, the 13th IEEE International Conference on Malicious and Unwanted Software, held this year in Massachusetts, USA.

Web vulnerabilities in Siemens SIMATIC operator panels

Fri, 16 Nov 2018 13:15:35 +0000

The most serious of the vulnerabilities could allow arbitrary files to be downloaded from the device

Vulnerabilities in Siemens industrial products

Fri, 16 Nov 2018 13:01:49 +0000

The most dangerous of the vulnerabilities affect the SIMATIC S7-400 CPU family and the SIMATIC IT Production Suite software package. The vulnerabilities have been fixed for most of the affected products

Schneider Electric has fixed a vulnerability in SESU software

Thu, 08 Nov 2018 11:22:53 +0000

The vulnerability affects the Schneider Electric Software Update (SESU) tool, which is used to notify users when updated Schneider Electric software is available

Critical vulnerabilities in CirCarLife electric vehicle chargers

Thu, 08 Nov 2018 08:41:52 +0000

Successful exploitation of these vulnerabilities could allow a remote attacker to retrieve credentials to bypass authentication, and to access critical information

Critical vulnerabilities in AVEVA industrial software

Wed, 07 Nov 2018 13:26:44 +0000

The vulnerabilities affect InduSoft Web Studio and InTouch Edge HMI and could allow remote execution of arbitrary code

Multiple vulnerabilities in Advantech WebAccess

Mon, 29 Oct 2018 16:14:29 +0000

Vulnerabilities identified in Advantech WebAccess include buffer overflow, path traversal, improper privilege management, etc.

Kaspersky Lab challenges whitehats to find flaws in IoT devices, in Capture the Flag competition

Tue, 23 Oct 2018 14:05:33 +0000

Kaspersky Lab is launching the fourth international industrial Capture the Flag (CTF) security competition and inviting ethical hackers (whitehats) from across the world to test the security of smart devices and industrial systems

Phishing attack targeting Italian naval and defense industry

Mon, 22 Oct 2018 15:57:19 +0000

The attackers attempted to infect computers with MartyMcFly remote access Trojan using phishing emails with malicious attachments

New GreyEnergy malware attacks industrial networks

Fri, 19 Oct 2018 12:17:02 +0000

Experts point to the similarities between the new malware and BlackEnergy, and a possible connection of the attacks with the TeleBots criminal group

Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Remote Code Execution

Thu, 18 Oct 2018 15:00:00 +0000

Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Management Software.

Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Hidden Token Access

Thu, 18 Oct 2018 14:58:00 +0000

Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device Management Software.

Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Sensitive Information Stored in Clear Text

Thu, 18 Oct 2018 14:57:00 +0000

Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway and Device Management Software.

Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Password Management Issue

Thu, 18 Oct 2018 14:55:00 +0000

Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software.

Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: Broken Access Control

Thu, 18 Oct 2018 14:54:00 +0000

Broken access control in Moxa ThingsPro IIoT Gateway and Device Management Software.

Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: User Privilege Escalation

Thu, 18 Oct 2018 14:52:00 +0000

User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device Management Software.

Moxa ThingsPro IIoT Gateway and Device Management Software Solutions: User Enumeration

Thu, 18 Oct 2018 14:49:00 +0000

User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management Software.

Opportunities and challenges in digital transformation: sixth industrial cybersecurity conference organized by Kaspersky Lab

Mon, 15 Oct 2018 14:55:59 +0000

The sixth conference on industrial cybersecurity organized by Kaspersky Lab was held on September 19-21 in Sochi, Russia. This year’s theme was ‘Industrial cybersecurity: opportunities and challenges in digital transformation’.

Siemens fixes new vulnerabilities in its products

Fri, 12 Oct 2018 08:12:56 +0000

Vulnerable products include ROX II operating system, SIMATIC S7-1200 CPU family, SCALANCE W1750D access point and some SIMATIC PLCs

Multiple vulnerabilities in Wecon PI Studio

Wed, 10 Oct 2018 12:25:27 +0000

Wecon PI Studio HMI solutions are affected by multiple vulnerabilities that could allow remote code execution and disclosure of sensitive information, including in the context of an administrator

Bridging the ICS cybersecurity awareness gap: webinar by Kaspersky Lab Fraunhofer IOSB

Wed, 10 Oct 2018 10:01:41 +0000

On October 16, Kaspersky Lab and Fraunhofer IOSB are hosting a joint webinar to highlight the importance of ICS cybersecurity education and present a new ICS cybersecurity training course

First joint training by Kaspersky Lab and Fraunhofer IOSB

Mon, 08 Oct 2018 14:50:01 +0000

On September 26 – 27, 2018 Kaspersky Lab ICS CERT and Fraunhofer IOSB conducted their first “Advanced Industrial Cybersecurity in Practice” joint training course

Critical vulnerabilities in Entes EMG 12 converters

Fri, 05 Oct 2018 15:32:38 +0000

Vulnerabilities in the web interface of EMG12 Ethernet Modbus Gateway devices could allow unauthorized access to the devices and the ability to change device configuration

Multiple vulnerabilities in Fuji Electric industrial products

Tue, 02 Oct 2018 14:43:57 +0000

Multiple vulnerabilities affect the Alpha5 Smart Loader servo system, FRENIC Loader software, and FRENIC-Ace, FRENIC-Mini, FRENIC-Eco, FRENIC-Multi, and FRENIC-MEGA inverters

Critical vulnerabilities in Emerson AMS Device Manager

Tue, 02 Oct 2018 14:31:17 +0000

Exploitation of vulnerabilities in Emerson AMS Device Manager, an industrial asset control system, could allow arbitrary code execution and malware injection

DeltaV Remote Code Execution

Tue, 02 Oct 2018 13:21:00 +0000

Remote code execution in Emerson AMS Device Manager.

Dangerous vulnerabilities in Siemens industrial solutions

Thu, 20 Sep 2018 14:49:48 +0000

Newly identified vulnerabilities affect SIMATIC WinCC OA HMI system, SCALANCE X switches and TD Keypad Designer tool

Threats posed by using RATs in ICS

Thu, 20 Sep 2018 07:00:13 +0000

The paper provides an analysis of the prevalence of remote administration tools on OT networks and the threats associated with their use.

Schneider Electric products shipped with infected USB media

Wed, 12 Sep 2018 10:36:55 +0000

USB media infected with malware were shipped with Conext ComBox and Conext Battery Monitor products

Buffer overflow vulnerabilities in industrial automation products by Opto22

Tue, 11 Sep 2018 15:42:31 +0000

The vulnerability affects PAC Control Basic and PAC Control Professional version R10.0а and earlier and could allow arbitrary code execution

Threat landscape for industrial automation systems: H1 2018

Thu, 06 Sep 2018 10:00:18 +0000

In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the first half of 2018.

Vulnerabilities in Schneider Electric industrial devices

Fri, 31 Aug 2018 13:32:21 +0000

New vulnerabilities have been identified in Schneider Electric PM5560 power meter and Modicon M221 logic controller

Princeton University researchers: causing power outages with IoT botnet

Wed, 22 Aug 2018 09:28:40 +0000

A study has been published on the ways in which high-wattage smart devices could be used in attacks on the power grid

Multiple vulnerabilities in Emerson DeltaV DCS industrial workstations

Wed, 22 Aug 2018 09:11:51 +0000

Critical vulnerabilities in industrial PCs used by Emerson’s DeltaV distributed control system could allow arbitrary code execution, malware injection or malware propagation to other workstations

Eltex ESR-200 Router Default Password Usage

Fri, 17 Aug 2018 11:39:00 +0000

An attacker without authentication can login with default credentials for privileged users.

Eltex ESR-200 Router Unsecure sudo Configuration

Fri, 17 Aug 2018 11:38:00 +0000

A authenticated attacker with low privileges can use unsecure sudo configuration to expand attack surface.

Eltex ESR-200 Router Build-in user with highest privileges

Fri, 17 Aug 2018 11:37:00 +0000

A authenticated attacker with low privileges can activate high privileged user and use it to expand attack surface.

Eltex ESR-200 Router Information Disclosure

Fri, 17 Aug 2018 11:35:00 +0000

A authenticated attacker with low privileges can extract password hash information for all users.

Eltex ESR-200 Router command injection

Fri, 17 Aug 2018 11:33:00 +0000

A authenticated attacker can execute arbitrary code using command ejection.

Kraftway-24F2XG Router Outdated Certificate Usage

Fri, 17 Aug 2018 11:31:00 +0000

Usage of SSLv2 and SSLv3 contain cryptographic weaknesses and cause data decryption.

Kraftway-24F2XG Router Denial of Service

Fri, 17 Aug 2018 11:29:00 +0000

A Buffer Overflow exploited through web interface by remote attacker cause denial of service.

Kraftway-24F2XG Router Possible Remote Code Execution

Fri, 17 Aug 2018 11:27:00 +0000

A Buffer Overflow exploited through web interface by remote attacker can cause remote code execution.

Kraftway-24F2XG Router Denial of Service

Fri, 17 Aug 2018 11:24:00 +0000

A remote attacker with low privileges can cause denial of service.

Kraftway-24F2XG Router Denial of Service

Fri, 17 Aug 2018 11:22:00 +0000

A remote attacker can craft a malicious link and send it to a privileged user. This can cause denial of service.

Kraftway-24F2XG Router Default Credentials

Fri, 17 Aug 2018 11:20:00 +0000

A remote attacker can get administrative privileges using default credentials.

Zipato Zipabox Sensitive Information Disclosure

Wed, 08 Aug 2018 11:38:00 +0000

A remote attacker can get sensitive information that expands attack surface.

Zipato Zipabox Weak Hash Algorithm

Wed, 08 Aug 2018 11:36:00 +0000

Weak hashing algorithm allows attacker get passwords in clear text.

Zipato Zipabox Insecure configuration storage

Wed, 08 Aug 2018 11:31:00 +0000

Insecure configuration storage allows attacker take under control device and smart home.

APT group called RASPITE attacks industrial enterprises

Mon, 06 Aug 2018 16:17:20 +0000

Dragos has published information on a newly-identified APT group, which it calls RASPITE. According to Dragos, the group's activity overlaps significantly with that of Leafminer, a group identified earlier by Symantec

The Third Specialized Conference “IT Security for Industrial Systems” in Frankfurt

Mon, 06 Aug 2018 10:57:24 +0000

On November 12 – 13 the Third Specialized Conference “IT Security for Industrial Systems” will be held in Frankfurt.

Critical vulnerabilities in WECON LeviStudioU

Fri, 03 Aug 2018 13:59:26 +0000

Buffer overflow vulnerabilities in WECON LeviStudioU could allow remote code execution.

Attacks on industrial enterprises using RMS and TeamViewer

Wed, 01 Aug 2018 10:00:44 +0000

The malware used in these attacks installs legitimate remote administration software – TeamViewer or RMS – on the system. This enables the attackers to gain remote control of infected systems.

Buffer overflow vulnerabilities in AVEVA HMI solutions

Tue, 24 Jul 2018 12:12:16 +0000

Vulnerabilities in HMI solutions InduSoft Web Studio, InTouch Machine Edition and InTouch could allow remote code execution and cause systems to be compromised

Dangerous vulnerability fixed in Moxa NPort serial network interface devices

Mon, 23 Jul 2018 16:00:17 +0000

A vulnerability in Moxa NPort 5210, 5230 and 5232 devices could allow a remote attacker to cause a resource exhaustion condition

Dangerous vulnerability identified in ABB Panel Builder 800 engineering software

Thu, 19 Jul 2018 12:36:43 +0000

A vulnerability in Panel Builder 800 engineering software installed on ABB Panel 800 HMI devices could enable attackers to plant and execute arbitrary code on affected devices

Multiple vulnerabilities fixed in WAGO operator panels

Tue, 17 Jul 2018 10:30:14 +0000

WAGO has fixed multiple vulnerabilities in e!DISPLAY 7300T series HMA devices. Exploitation of these vulnerabilities could enable attackers to execute arbitrary code or overwrite critical files

DoS vulnerabilities in SIPROTEC 5 relays and EN100 communication module

Tue, 17 Jul 2018 09:58:40 +0000

DoS vulnerabilities have been identified in Siemens SIPROTEC 5 relays and the EN100 communication module. These vulnerabilities can be exploited by a remote attacker without requiring any privileges or user interaction

Multiple vulnerabilities in Allen-Bradley Stratix 5950 appliances

Mon, 09 Jul 2018 10:19:28 +0000

Allen-Bradley Stratix 5950 network security appliances are affected by multiple vulnerabilities. The flaws, which are due to security issues in the Cisco ASA operating system used in the devices, could cause the appliances to malfunction

The State of Industrial Cybersecurity 2018: findings of joint survey by Kaspersky Lab and PAC

Thu, 28 Jun 2018 09:00:40 +0000

Kaspersky Lab has published the results of The State of Industrial Cybersecurity study carried out in collaboration with PAC, a CXP Group Company, and based on a survey of 320 professionals representing companies from such sectors as manufacturing and industrial production, energy, mining, transport, and logistics.

Vulnerability in Delta Industrial Automation COMMGR software

Wed, 27 Jun 2018 17:27:49 +0000

A buffer overflow vulnerability in Delta Industrial Automation COMMGR software could lead to remote code execution, cause the application to crash, or cause a denial-of-service condition in the application server

DoS vulnerability in Allen-Bradley CompactLogix and Compact GuardLogix controllers

Wed, 27 Jun 2018 16:41:45 +0000

Remote attackers could cause a denial-of-service condition in Allen-Bradley CompactLogix and Compact GuardLogix controllers by exploiting a vulnerability in these devices

Cyberattack on satellite communications companies

Tue, 26 Jun 2018 10:06:28 +0000

In a cyberattack on organizations in the US and Southeast Asia, hackers have used legitimate tools to infect systems that monitor and control communications satellites

Dangerous vulnerabilities fixed in Siemens routers and switches

Tue, 19 Jun 2018 12:03:51 +0000

Siemens has closed serious vulnerabilities in its solutions. Affected devices include SCALANCE M875 industrial routers and SCALANCE X switches

Multiple vulnerabilities in U.motion Builder

Wed, 13 Jun 2018 15:30:44 +0000

Multiple remote code execution vulnerabilities have been corrected in Schneider Electric’s U.motion Builder. Fixes for the vulnerabilities have been included in version 1.3.4 of the solution

Serious vulnerability in RSLinx Classic and FactoryTalk Linx Gateway by Rockwell Automation

Sat, 09 Jun 2018 15:34:20 +0000

A serious vulnerability has been identified in Rockwell Automation solutions for industrial networks RSLinx Classic and FactoryTalk Linx Gateway

Critical vulnerability in Yokogawa STARDOM controllers

Tue, 05 Jun 2018 15:30:46 +0000

Hardcoded credentials have been identified in Yokogawa STARDOM controllers, potentially leading to remote execution of arbitrary code on affected devices

Multiple vulnerabilities in Schneider Electric Floating License Manager

Tue, 29 May 2018 13:04:54 +0000

Dangerous vulnerabilities have been identified in the Schneider Electric Floating License Manager platform.

VPNFilter malware can be used to detect SCADA equipment

Mon, 28 May 2018 14:16:02 +0000

Cisco Talos researchers have detected new malware, which has been dubbed VPNFilter. To date, the malware has infected at least 500,000 routers and network-attached storage (NAS) devices in 54 countries of the world.

Serious vulnerabilities in TELEM-GW6/GWM data concentrators

Mon, 28 May 2018 13:11:50 +0000

Vulnerabilities in Martem TELEM-GW6/GWM data concentrators could enable remote attackers to gain control of the industrial process, cause denial of service and execute arbitrary code

Serious vulnerability fixed in PACSystems industrial controllers

Wed, 23 May 2018 14:42:01 +0000

A serious improper data validation vulnerability has been closed in some models of PACSystems industrial controllers. Exploitation of the vulnerability could cause affected devices to malfunction

Dangerous vulnerabilities identified in FL SWITCH industrial Ethernet switches

Wed, 23 May 2018 12:41:21 +0000

Critical vulnerabilities have been identified in FL SWITCH series 3xxx, 4xxx and 48xxx industrial Ethernet switches. Updating the firmware of the switches to version 1.34 or higher is recommended to eliminate these vulnerabilities

OPC Foundation Consortium comments on Kaspersky Lab’s OPC UA security analysis report

Tue, 22 May 2018 12:29:06 +0000

The OPC Foundation has published an official response to Kaspersky Lab’s analysis

DoS vulnerability in SIMATIC S7-400 controllers

Fri, 18 May 2018 10:19:59 +0000

A hardware vulnerability in SIMATIC S7-400 CPUs could cause denial-of-service conditions of affected PLCs. Exploitation of the vulnerability does not require user interaction or any privileges

Multiple vulnerabilities closed in Advantech WebAccess

Thu, 17 May 2018 16:43:44 +0000

Multiple serious vulnerabilities have been closed in Advantech’s WebAccess SCADA/HMI solution. Their exploitation could lead to sensitive information disclosure, arbitrary code execution and file deletion.

OPC UA security analysis

Thu, 10 May 2018 10:00:07 +0000

This paper discusses our project that involved searching for vulnerabilities in implementations of the OPC UA protocol. In publishing this material, we hope to draw the attention of vendors that develop software for industrial automation systems and the industrial internet of things to problems associated with using such widely available technologies, which turned out to be quite common.

Vulnerabilities in Advantech WebAccess HMI Designer

Thu, 26 Apr 2018 14:21:04 +0000

Dangerous vulnerabilities have been identified in Advantech WebAccess HMI Designer. Their exploitation could lead to remote code execution

Energetic Bear / Crouching Yeti: attacks on servers

Mon, 23 Apr 2018 10:00:36 +0000

This report by Kaspersky Lab ICS CERT presents information on identified servers that have been infected and used by the group. The report also includes the findings of an analysis of several webservers compromised by the Energetic Bear group during 2016 and in early 2017.

Education initiative by Kaspersky Lab ICS CERT and Fraunhofer IOSB

Fri, 20 Apr 2018 13:35:34 +0000

Kaspersky Lab ICS CERT and Fraunhofer IOSB are working together to address industrial cybersecurity and awareness challenges.

Vulnerabilities in Rockwell Automation industrial networking solutions

Thu, 19 Apr 2018 15:58:58 +0000

Critical vulnerabilities have been identified in several Rockwell Automation industrial networking devices. The issue is due to Cisco IOS or IOS XE versions with multiple vulnerabilities being used in these devices

Critical vulnerabilities in Schneider Electric industrial solutions

Thu, 19 Apr 2018 10:50:41 +0000

Critical vulnerabilities have been identified in SCADA/HMI solutions InduSoft Web Studio and InTouch Machine Edition, and in the Triconex Tricon model 3008 Safety Instrumented System

Vulnerabilities in Moxa EDR-810 routers

Wed, 18 Apr 2018 09:02:35 +0000

Multiple vulnerabilities have been identified in Moxa EDR-810 industrial routers. Their successful exploitation could lead to privilege escalation and denial-of-service conditions

Internet of Things Security Maturity Model description to be published

Mon, 16 Apr 2018 17:57:09 +0000

The Industrial Internet Consortium has announced the publication of an official Internet of Things Security Maturity Model description.

Multiple vulnerabilities closed in U.motion Builder building automation solution

Wed, 11 Apr 2018 17:49:28 +0000

Schneider Electric has closed multiple vulnerabilities in U.motion Builder – a total of 16 vulnerabilities with different severity levels (CVSS v.3 base score of 4.3 to 10)

Attack on Cisco switches

Wed, 11 Apr 2018 10:29:38 +0000

A vulnerability in Cisco Smart Install Client was exploited in an attack on Cisco IOS switches to modify configuration files on the devices and cause a denial-of-service condition

Critical vulnerability closed in Moxa AWK-3131A industrial access point

Fri, 06 Apr 2018 13:03:45 +0000

A critical vulnerability in Moxa AWK-3131A industrial access point could allow an unauthorized attacker to execute arbitrary code by injecting system commands

DoS vulnerability in Siemens SIMATIC products

Tue, 03 Apr 2018 15:32:05 +0000

An Improper Input Validation vulnerability has been identified in Siemens SIMATIC industrial automation products.

Open for Insights: Kaspersky Lab Industrial Cybersecurity Conference 2018 Call for Papers

Mon, 02 Apr 2018 14:27:30 +0000

To drive the discussion around the future of OT cybersecurity and equip industry practitioners with the relevant knowledge and best practices, Kaspersky Lab invites industrial cybersecurity experts to submit their researches and reports to its 6th annual conference on industrial cybersecurity by June 1

Critical vulnerability closed in TIM 1531 IRC modules

Fri, 30 Mar 2018 15:53:44 +0000

Siemens has released a new firmware version for TIM 1531 IRC communication modules to close a critical vulnerability in these modules. If exploited, this vulnerability could lead to unauthorized changes in the module’s configuration and a denial of service condition

New vulnerabilities in Allen Bradley MicroLogix 1400 PLCs

Fri, 30 Mar 2018 15:45:35 +0000

Serious vulnerabilities have been closed in Allen Bradley MicroLogix 1400 PLC series. Exploitation of these vulnerabilities could lead to unauthorized modification of PLC configuration and cause the devices to enter a denial-of-service condition

Multiple vulnerabilities identified in the Modicon family of industrial controllers

Thu, 29 Mar 2018 13:55:42 +0000

US CERT has published an advisory on vulnerabilities in the Modicon family of industrial controllers by Schneider Electric.

Improper Input Validation vulnerability in Siemens industrial devices

Mon, 26 Mar 2018 12:00:40 +0000

A vulnerability that could cause a denial-of-service condition has been identified in Siemens industrial solutions. The vulnerability can only be exploited if the attacker is located in the same Ethernet segment as the targeted device

Serious vulnerability identified in Beckhoff TwinCAT PLC software solution

Mon, 26 Mar 2018 11:59:14 +0000

Vulnerability in kernel drivers of Beckhoff TwinCAT 2 and 3.1 PLC software solutions for PLCs could allow local attackers to escalate privileges on target systems

Threat Landscape for Industrial Automation Systems in H2 2017

Mon, 26 Mar 2018 10:00:11 +0000

Somebody’s watching! When cameras are more than just ‘smart’

Mon, 12 Mar 2018 10:00:01 +0000

The researchers at Kaspersky Lab ICS CERT decided to check the popular smart camera to see how well protected it is against cyber abuses.

Siemens industrial solutions are affected by vulnerabilities in Intel ME, SPS and TXE technologies

Thu, 01 Mar 2018 16:00:03 +0000

28 industrial solutions by Siemens are affected by vulnerabilities in Intel ME, SPS and TXE technologies. The vendor has released patches for all of these products and made these patches available on its website

IoT hack: how to break a smart home... again

Wed, 28 Feb 2018 18:09:53 +0000

There can never be too many IoT gadgets – that’s what people usually think when buying yet another connected device with advanced functionality. From our perspective, we also think there can’t be too many IoT investigations.

OMG botnet turns infected devices into proxy servers

Tue, 27 Feb 2018 15:04:54 +0000

A new variant of the Mirai botnet can set up proxy servers on infected IoT devices

3.3% of ICS computers attacked by miners during the past year

Thu, 22 Feb 2018 19:01:19 +0000

Kaspersky Lab has recorded an increase in the number of attacks involving cryptocurrency miners on the infrastructure of industrial enterprises, which started in September 2017. Miners can interfere with industrial process control and threaten process stability.

Vulnerabilities in GE D60 Line Distance Relay devices

Thu, 22 Feb 2018 15:45:17 +0000

Critical vulnerabilities have been identified in General Electric D60 Line Distance Relay devices. The vulnerabilities could allow attackers to execute code on vulnerable systems.

Critical vulnerability in WAGO PFC200 controllers closed

Thu, 22 Feb 2018 12:57:22 +0000

WAGO has closed a critical vulnerability (improper authentication) in its PFC200 Series PLCs.

Kaspersky Lab and MIT host a successful second annual ‘Think Security’ seminar

Mon, 19 Feb 2018 16:53:46 +0000

The Massachusetts Institute of Technology (MIT), in collaboration with Kaspersky Lab, hosted its second annual “Think Security” seminar devoted to protecting industrial automation systems from cyberattacks. The seminar featured an industrial Capture the Flag (CTF) contest

Multiple Vulnerabilities Found in Popular Document Management System

Mon, 12 Feb 2018 07:00:17 +0000

Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) has identified multiple vulnerabilities in the Saperion Web Client, a web application developed by Kofax.

Saperion webclient multiple vulnerabilities: Arbitrary File Read in Saperion web client

Fri, 09 Feb 2018 13:25:00 +0000

Remote exploitation of discovered vulnerabilities lead to full compromise the system with Saperion webclient.

Saperion webclient multiple vulnerabilities: Remote Code Execution with system user privileges in Saperion web client

Fri, 09 Feb 2018 13:22:00 +0000

Remote exploitation of discovered vulnerabilities lead to full compromise the system with Saperion webclient.

Gas is too expensive? Let’s make it cheap!

Wed, 07 Feb 2018 09:21:27 +0000

A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat.

Vulnerability in Nari PCS-9611 relays

Mon, 29 Jan 2018 06:27:36 +0000

An improper input validation vulnerability has been identified in the Nari PCS-9611 protection relay. Although an exploit for the vulnerability exists, the vendor has so far not commented on the problem.

A silver bullet for the attacker. A study into the security of hardware license tokens

Mon, 22 Jan 2018 10:00:27 +0000

In the past years, the problem of vulnerabilities in industrial automation systems has been becoming increasingly important. The fact that industrial control systems have been developing in parallel with IT systems, relatively independently and often without regard for modern secure coding practices is probably the main source of ICS security problems.

MLAD: Machine Learning for Anomaly Detection

Tue, 16 Jan 2018 18:00:27 +0000

Modern industrial control systems (ICS) are cyber-physical systems that include IT infrastructure and operational technologies or OT infrastructure. Attacks on OT pose the greatest danger and are very difficult to detect. The MLAD (Machine Learning for Anomaly Detection) technology is designed to protect OT.

Industrial solutions may be affected by Spectre and Meltdown vulnerabilities

Fri, 12 Jan 2018 15:31:58 +0000

Vulnerabilities in Intel, ARM64 and AMD processors allow unauthorized access to virtual memory contents. Vulnerable devices include industrial equipment.

Serious vulnerabilities identified in Palo Alto firewalls

Tue, 19 Dec 2017 11:36:39 +0000

Attackers can take advantage of vulnerabilities in the PAN-OS management interface to execute arbitrary code with superuser privileges.

TRITON attack. Comment by Kaspersky Lab ICS CERT expert

Mon, 18 Dec 2017 14:38:07 +0000

The TRITON attack demonstrates an important property of attacks on industrial enterprises: they may show no signs of malicious computer activity.

The brief awakening of the Satori botnet

Thu, 14 Dec 2017 11:50:11 +0000

The Satori botnet has used embedded exploits to attack ports 37215 and 52869. After reaching the size of 280,000 active bots, the botnet has suddenly folded its operations.

Cyber Security Tech Talk at the University of California, Berkeley

Wed, 06 Dec 2017 17:22:01 +0000

Kaspersky Lab ICS CERT experts have held the first tech talk on industrial cyber security at UC Berkeley.

Dnsmasq Vulnerabilities Affect Siemens SCALANCE Solutions

Tue, 05 Dec 2017 13:59:39 +0000

Siemens SCALANCE industrial solutions are affected by Dnsmasq vulnerabilities. An attacker could be able to execute arbitrary code or conduct a DoS attack.

New Mirai Variant

Mon, 04 Dec 2017 14:19:20 +0000

A new variant of the Mirai malware infects vulnerable ZyXEL devices, making them part of a botnet.

Vulnerabilities in Siemens SWT 3000 Devices

Mon, 04 Dec 2017 10:07:08 +0000

Vulnerabilities in Siemens SWT 3000, a system used in the energy sector, allow attackers to gain access to sensitive information, circumvent authentication and conduct a DoS attack.

Industrial Enterprise and IoT Security Threats: Forecast for 2018

Thu, 30 Nov 2017 12:08:48 +0000

2017 was one of the most eventful years in terms of information security incidents affecting industrial systems, and it changed the way industrial companies think about protecting key operational technology systems.

Intel Releases Updates to Close ME, SPS and TXE Vulnerabilities

Fri, 24 Nov 2017 16:36:13 +0000

Serious vulnerabilities have been found in Intel processors. These flaws also affect industrial equipment. Intel has released the relevant updates and equipment vendors now need to integrate them into their products.

Siemens Industrial Solutions Are Vulnerable to Denial-of-Service Attacks

Fri, 24 Nov 2017 13:36:54 +0000

Siemens has announced that some of its industrial solutions are vulnerable to DoS attacks. Vulnerable devices include industrial controllers, field devices and shop floor automation systems.

Moxa Fixes Serious Vulnerabilities in NPort Serial Network Interface Devices

Tue, 21 Nov 2017 13:50:10 +0000

Moxa has released updates that close serious flaws in NPort device firmware. Devices of this type were targeted in December 2015 attacks on Ukrainian power companies.

Serious Vulnerabilities Found in Siemens SICAM RTU Modules

Fri, 17 Nov 2017 15:34:37 +0000

Serious vulnerabilities allowing attackers to execute code remotely and bypass authentication have been identified in Siemens SICAM RTU modules. Disabling the integrated web server is recommended to reduce risk.

Schneider Electric Closes Critical Vulnerability in HMI Products

Thu, 16 Nov 2017 12:06:27 +0000

Schneider Electric has released patches for a vulnerability which affects InduSoft Web Studio and HMI InTouch Machine Edition products

Vendors Confirm That Industrial Solutions Are Vulnerable to KRACK Attacks

Wed, 15 Nov 2017 14:58:58 +0000

Several companies, including Cisco, Rockwell Automation, Sierra Wireless, ABB and Siemens, have reported vulnerabilities in their industrial devices. The vendors are preparing updates to close these vulnerabilities and will release the patches as they are ready.

The Relevance of WPA2 Vulnerabilities and KRACK Attacks to Industrial Systems

Wed, 15 Nov 2017 14:30:47 +0000

Critical vulnerabilities that have recently been identified in the WPA2 protocol enable threat actors to carry out Man-in-the-Middle (MitM) attacks and force devices connected to the network to reinstall encryption keys that protect traffic. These vulnerabilities can be used, among other things, to implement attacks on industrial automation systems.

New Botnet Recruits IoT Devices Across the Globe

Thu, 09 Nov 2017 16:19:43 +0000

The Reaper IoT botnet includes about 10-20 thousand infected devices, with some of these devices possibly being used by industrial enterprises, hospitals, railway terminals and airports

To Hack an Oil Refinery in 7 Hours

Fri, 27 Oct 2017 19:18:57 +0000

The finals of Kaspersky Industrial CTF 2017, an industrial cybersecurity contest, were held in Shanghai. This was the third CTF (Capture the Flag) tournament organized by Kaspersky Lab and the first to have the international status

Bad Rabbit, Brother of [Ex]Petr

Thu, 26 Oct 2017 10:41:04 +0000

Kaspersky Lab experts believe that the same threat actor is behind ExPetr and Bad Rabbit

US-CERT Reports APT Attack on Critical Infrastructure

Wed, 25 Oct 2017 09:39:01 +0000

US-CERT has published a report on a targeted (APT) attack on government entities and organizations in energy, nuclear, aviation and other sectors. The attackers were interested in documents on industrial processes in targeted organizations.

WPA2 Vulnerabilities Can Be Used to Attack Industrial Systems

Wed, 18 Oct 2017 17:58:43 +0000

On October 16, information on critical vulnerabilities in the WPA2 protocol, which enable attackers to bypass protection and listen to Wi-Fi traffic, was disclosed. Comments from Kaspersky Lab ICS CERT experts

The Results of Kaspersky Industrial CTF 2017 Qualifications Are In

Tue, 10 Oct 2017 11:53:50 +0000

Kaspersky Lab has released the results of Kaspersky Industrial CTF 2017 qualifications, which were held online on October 6-8, 2017. This year’s tournament is truly international, with 696 teams from different countries participating in qualifications. The top three teams were, respectively, CyKor (Korea), Eat, Sleep, Pwn, Repeat (Germany) and Tokyo Westerns (Japan).

Safeguarding Technological Progress: Kaspersky Lab Holds Its Fifth Industrial Cyber Security Conference

Fri, 06 Oct 2017 15:47:35 +0000

Kaspersky Lab has held the Industrial Cybersecurity: Safeguarding Technological Progress conference in Saint Petersburg. The conference was devoted to the most pressing issues associated with protecting modern industrial systems from cyberthreats. Its 300 guests and speakers represented more than 170 organizations from over 15 countries across the globe.

Several more vulnerabilities found and closed in popular license manager

Tue, 03 Oct 2017 11:39:01 +0000

Kaspersky Lab ICS CERT has identified multiple vulnerabilities: denial of service (DOS), NTLM-relay attack, Stack buffer overflow, Remotely enabling web admin interface, Arbitrary memory read and possible remote code execution (RCE) in hasplms service that is a part of Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products.

Sentinel LDK RTE: Remote enabling and disabling admin interface

Mon, 02 Oct 2017 16:49:00 +0000

Remote enabling and disabling administrative interface opens new attack vectors on the remote system with Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55.

Sentinel LDK RTE: Memory corruption might cause remote code execution

Mon, 02 Oct 2017 16:47:00 +0000

Memory corruption in Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 might cause remote code execution.

Sentinel LDK RTE: Arbitrary memory read from controlled memory pointer leads to remote denial of service

Mon, 02 Oct 2017 16:44:00 +0000

Arbitrary memory read from controlled memory pointer in Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to remote denial of service.

Sentinel LDK RTE: Remote manipulations with language pack updater lead to NTLM-relay attack for system user

Mon, 02 Oct 2017 16:41:00 +0000

Remote manipulations with language pack updater lead to NTLM-relay attack for system user in Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55.

Sentinel LDK RTE: Stack overflow in custom XML-parser leads to remote denial of service

Mon, 02 Oct 2017 16:37:00 +0000

Stack overflow in custom XML-parser in Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products prior to Sentinel LDK RTE version 7.55 leads to remote denial of service

Threat Landscape for Industrial Automation Systems in H1 2017

Thu, 28 Sep 2017 12:00:52 +0000

Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017.

Infected CCleaner in ICS around the world

Mon, 25 Sep 2017 14:00:26 +0000

On 18 September 2017, Piriform, a software company, announced that its CCleaner utility, which is designed to optimize the operation of Windows, had been hacked.

MITRE Grants Kaspersky Lab CVE Numbering Authority (CNA) Status

Fri, 15 Sep 2017 09:00:55 +0000

The MITRE Corporation has recognized Kaspersky Lab as an authority in the area of vulnerabilities, granting the company the CVE Numbering Authority (CNA) status.

New Attack Vector Affecting Bluetooth Devices

Fri, 15 Sep 2017 08:22:27 +0000

Researches from Armis Labs have identified a new attack vector, dubbed BlueBorne, that endangers mobile, desktop and IoT operating systems, including Android, iOS, Windows, and Linux.

IBM Security Report on Cyber Security Risks in the Energy and Utilities Sector

Wed, 13 Sep 2017 13:40:16 +0000

IBM X-Force has published a report on cyber security risks in the energy and utilities sector.

New Wave of Cyberattacks in the Energy Sector of Europe and North America

Thu, 07 Sep 2017 14:59:14 +0000

Symantec has published a report on new cyberattacks targeting the energy sector in Europe and North America.

Closing an XXE Vulnerability in Siemens Industrial Solutions

Thu, 07 Sep 2017 11:57:37 +0000

US ICS-СERT has published an advisory on fixes for a vulnerability in Siemens industrial products using the Discovery Service of the OPC UA protocol stack.

Abbott Recalls Pacemakers Due to Cyberattack Risk

Mon, 04 Sep 2017 13:21:26 +0000

U.S. Food and Drug Administration (FDA) has announced the recall of 465,000 cardiac pacemakers produced by Abbott for security update installation. The update patches cybersecurity vulnerabilities in the devices’ firmware.

Multiple vulnerabilities found in popular license manager

Fri, 28 Jul 2017 11:59:24 +0000

Kaspersky Lab ICS CERT has identified multiple remote code execution (RCE) and denial of service (DOS) vulnerabilities in hasplms service that is a part of Gemalto’s HASP SRM, Sentinel HASP and Sentinel LDK products.

Sentinel LDK RTE: malformed ASN1 streams in V2C files lead to Remote Code Execution

Fri, 28 Jul 2017 11:58:00 +0000

Malformed ASN1 streams in V2C and similar input files can be used to generate stack buffer overflows. The vulnerability causes an arbitrary code execution. OVAL definition* KLCERT-17-003_OVAL

Sentinel LDK RTE: language packs containing malformed filenames lead to Remote Code Execution

Fri, 28 Jul 2017 11:57:01 +0000

Language packs containing malformed filenames lead to a stack buffer overflow. The vulnerability causes an arbitrary code execution. OVAL definition* KLCERT-17-002_OVAL

Sentinel LDK RTE: language pack with invalid HTML files leads to Denial of Service

Fri, 28 Jul 2017 11:57:00 +0000

Language pack (ZIP file) with invalid HTML files lead to NULL pointer access. Remote attacker can create language pack file on their own with invalid HTML file. The vulnerability cause denial of service of remote process. OVAL definition* KLCERT-17-001_OVAL

More than 50% of organizations attacked by ExPetr (Petya) cryptolocker are industrial companies

Thu, 29 Jun 2017 12:27:08 +0000

According to our telemetry, we see evidence that many industrial companies are being attacked by ExPetr (Petya) malware. While there were examples of actual industrial control systems being affected, in most cases it was only the business networks were affected. According to our data, at least 50% of the companies being attacked are manufacturing and oil & gas enterprises.

WannaCry on industrial networks: error correction

Thu, 22 Jun 2017 11:00:06 +0000

During the period from 12 to 15 May 2017, numerous companies across the globe were attacked by a network cryptoworm called WannaCry. The worm’s victims include various manufacturing companies, oil refineries, city infrastructure objects and electrical distribution network facilities.

Vulnerable System Update Statistics. General Electric

Mon, 19 Jun 2017 11:00:51 +0000

This article is devoted to vulnerabilities in General Electric products. The article looks only at known vulnerabilities, a list of which was prepared based using the MITRE CVE database. All the vulnerabilities in question were uncovered in 2012 – 2016.

Nigerian phishing: industrial companies under attack

Thu, 15 Jun 2017 09:00:12 +0000

In late 2016, the Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) reported on phishing attacks that were primarily targeting industrial companies from the metallurgy, electric power, construction, engineering and other sectors.

WannaCry ransomware widespread attack may indirectly hit Industrial organizations

Sun, 14 May 2017 14:21:12 +0000

The “WannaCry” outbreak has being reported on May 12 2017 by many independent sources all over the World. Based on KL ICS CERT live reports we decided to warn industrial organizations that they might indirectly become a victims of this widespread attack.

Threat Landscape for Industrial Automation Systems in the second half of 2016

Tue, 28 Mar 2017 09:00:49 +0000

The Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is starting a series of regular publications about our research devoted to the threat landscape for industrial organizations.

Spear phishing attack hits industrial companies

Fri, 16 Dec 2016 12:00:51 +0000

In October 2016, Kaspersky Lab ICS CERT detected a targeted attack aimed at industrial organizations. The worst affected were companies in the smelting, electric power generation and transmission, construction, and engineering industries.

Vulnerability in Industrial Control software and quality of the patch management

Fri, 09 Dec 2016 13:55:48 +0000

Kaspersky Lab ICS-CERT is launching a series of articles devoted to vulnerability analysis across the world. The articles aim to highlight patch management problems in the ICS world. Each article will focus on one popular ICS vendor and known vulnerabilities according to the MITRE Common Vulnerabilities and Exposures (CVE) database.

Critical infrastructure protection – governance around the world

Fri, 02 Dec 2016 14:44:37 +0000

This research is intended to find out which approaches to cybersecurity governance on the national level are currently in place around the world (especially in the sphere of protecting critical infrastructure against cyberattacks), and estimate the current maturity of cybersecurity governance in different countries.