Security firm finds SCADA software flaws; won't report them to vendors
ReVuln will sell vulnerability information to private buyers as part of a commercial service, the company says
IDG News Service - Malta-based security start-up firm ReVuln claims to be sitting on a stockpile of vulnerabilities in industrial control software, but prefers to sell the information to governments and other paying customers instead of disclosing it to the affected software vendors.
In a video released Monday, ReVuln showcased nine "zero-day" vulnerabilities which, according to the company, affect SCADA (supervisory control and data acquisition) software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. ReVuln declined to disclose the name of the affected software products.
SCADA software runs on regular computers, but is used by owners of critical infrastructure and other various types of industrial facilities to monitor and control industrial processes.
According to by ReVuln, the vulnerabilities it showcased Monday can allow attackers to remotely execute arbitrary code, download arbitrary files, execute arbitrary commands, open remote shells or hijack sessions on systems running the vulnerable SCADA software.
The attackers "can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service," ReVuln co-founder and security researcher Luigi Auriemma said Monday via email. "They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure."
The attacks can be executed from another computer on the internal network or, in many cases, from the Internet. Most of the products were designed to allow remote administration over the Internet, according to their documentation, Auriemma said.
It's also common to find such systems exposed to the Internet because of insecure configurations, the researcher said. "Shodan [a search engine that can be used to discover Internet-accessible industrial control systems] is giving us tons of interesting results about machines of big known companies that we can exploit remotely just at this moment."
General Electric, Schneider Electric, Rockwell Automation and the U.S. Department of Homeland Security, which operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) did not respond to requests for comment sent Monday.
"ICS-CERT has just contacted us some minutes ago requesting more details but we don't release information," Auriemma said. The vulnerabilities "are part of our portfolio for our customers so no public details will be released; they will remain private," he said.
Along with French vulnerability research firm VUPEN, ReVuln is among a few companies that openly sell vulnerability information to government agencies and other private customers and refuse to report the vulnerabilities their researchers find to the affected vendors so they can be fixed.
"The vulnerabilities included in our Zero-day feed [a subscription-based service] remain undisclosed by ReVuln unless either the vulnerability is discovered and reported by a third party or the vendor publicly or privately patches the issue," the company states on its website.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts