BLOG

May 18, 2022

Havex’s Tactics and Techniques in the Enterprise domain + mitigations

Havex is a Remote Access Trojan (RAT) that has been used in the Global Energy Sector Intrusion Campaign that started around the year 2013 and has been reported on by Seqred in its previous blog entries earlier this year – after Alert (AA22-083A), the Cybersecurity Advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) on the 24th March this year. Today we continue by presenting Havex’s Tactics & Techniques mapped to the ATT&CK for Enterprise framework together with mitigations.

Smart Home Security & Privacy

16.05.2022

Smart technology is affecting all areas of our lives. The possibility to have the access and control over everything at our fingertips at any time from any place is very tempting and offers many advantages, however it all comes at a security and privacy cost The various internet-connected devices – such as Smart Burglar Alarms, Internet Security Cameras, Smart Locks or Remote access Doorbells– collect enormous amounts of personal data which include logs of all interactions, location data, home details or voice samples (especially the likes of Alexa, Siri or Google Home).

Shared Responsibility for Security in the Public Cloud

12.05.2022

In general, cloud infrastructure can be broadly divided into two main layers. Firstly, there all are the hardware resources – the storage systems, servers, switches, routers, firewalls, etc – which are the underlying, the ‘invisible’, part of any cloud environment. All these devices need to be secured, physically and digitally, to ensure a safe and uninterrupted environment on which the functional side of the cloud can be virtualised. This part is managed by the cloud provider and the cloud services user has no access to this sphere of the cloud.

Critical ROCKWELL AUTOMATION PLCs vulnerabilities

11.05.2022

On the last day of March this year, CISA released two industrial Controls System Advisories (CSAs) describing vulnerabilities affecting numerous versions of Rockwell’s Logix Controllers and several versions of its Studio 5000 Logix Designer application. The first vulnerability (CVE-2022-1161), with a severity rating of 10, allows an attacker with the ability to modify a user program to change the user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems without it being visible to the programmer of the PLC.

Compute in the cloud relevant security considerations

09.05.2022

Cloud computing is fundamentally based on pooling resources and virtualisation is the technology used to convert fixed infrastructure into these pooled resources. At its most basic, virtualisation abstracts resources from their underlying physical assets. You can virtualise nearly anything in technology, from entire computers to networks to code. Many security processes are designed with the expectation of physical control over the underlying infrastructure and virtualisation adds two new layers for security controls:

TRITON’s Tactics and Techniques in the ICS domain

05.05.2022

TRITON malware was originally deployed in 2017 to disrupt the operations of a petrochemical plant in Saudi Arabia and it has recently made headlines on the occasion of an indictment by the U.S Department of Justice in a case of a Global Energy Sector Intrusion Campaign that lasted from 2011 to 2018. TRITON has the capability to reprogram Schneider Electric’s Triconex Tricon controllers with custom attacker-defined payloads when a Triconex device is running in ‘Program’ mode.

Mobile Device Security

03.05.2022

Last week we covered the topic of email security. And as mentioned at that time the second most common way used to communicate these days, apart from email, are mobile devices, especially smartphones. They are great devices that make our busy lives easier to manage but as any convenience comes with a price so does the convenience of using the multitude of functions available through a smartphone or other mobile device starting with the device itself.

‘Pipedream’ – a surfacing threat targeting Industrial Control Systems (ICS)

28.04.2022

Two weeks ago, Dragos, the US-based industrial cybersecurity expert, reported it has identified and analysed a new Industrial Control Systems (ICS)-specific malware named PIPEDREAM. This malware is a modular ICS attack framework that can be used to disrupt, degrade, and potentially destroy industrial environments and processes. It is the seventh known malware of this type preceded by STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE/INDUSTROYER, TRISIS/TRITON, and INDUSTROYER. Dragos attributes PIPEDREAM to CHERNOVITE (Dragos-designated) Activity Group assessed to be highly motivated, skilled in software development methods, well versed in ICS protocols and intrusion techniques, and well-funded – most likely state-sponsored.

Email Security Enhancement

26.04.2022

The first email was sent over 50 years ago, and it remains the most popular form of communication (along with the mobile phone) these days. According to Statista we have been sending approximately 320 billion emails every single day in 2021. And this figure is only expected to grow. We use emails to communicate all sorts of things and taking this into account it is amazing how insecure this technology is if we don’t give it a thought.

Havex’s Tactics and Techniques in the ICS domain + mitigations

21.04.2022

Just under a month ago, the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint Cybersecurity Advisory (CSA) containing details of a Global Energy Sector Intrusion Campaign executed between 2011 and 2018 by the Russian FSB. During that time, the FSB gained remote access to U.S. and international Energy Sector networks, deployed ICS malware, and collected and exfiltrated enterprise and ICS-related data. One of the identified malicious tools used in the years 2013 and 2014 was the remote access Trojan (RAT) Havex – also known as Backdoor.