Episode 301: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending Feb 3, 2019, features interviews with Ken Sinclair, owner and editor of Automated Buildings, who helps to navigate our journey through the perilous “Path of Least Disruption,” and rising entrepreneur and SandStar founder, Alper Üzmezler, CEO of BASSG and Alta Labs. [Read more…]
Dear Niagara Community Member,
Over the past few months, there has been some well-needed government and media discussion related to the cyber-security posture of control systems. Cyber-threat watchers note that there continues to be a significant number of control systems configured in an insecure manner, and most concerning, exposed on the Internet. Our goal is to have zero Niagara Framework® deployments that fit these descriptions. Towards this goal, we are reminding our customers [Read more…]
Episode 297: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending Dec 30, 2018 brings us to the brink of another New Year. Join ControlTalk NOW and our special guest, Marc Petock, as we engage in a comprehensive review of 2018, and then take a slightly serious and perceptive look at what 2019 is likely to bring — and which TRENDS will emerge. [Read more…]
Original release date: December 28, 2018. During the holidays, internet-connected devices also known as Internet of Things (IoT) are often popular gifts—such as smart TVs, watches, toys, phones, and tablets. This technology provides a level of convenience to our lives, [Read more…]
More Insights. More Innovations. Claim your place at Momentum, the conference dedicated to building innovations. Join product experts, distributors, integrators, contractors and exhibitors for three days of business-building insights and a chance to interact with the latest products and solutions. There’s also plenty of time for great food, drinks, networking and a round of golf in beautiful Orlando.
Momentum means moving forward and driving growth — and that’s what this conference is all about. Approximately 300 Distributors, Contractors, Sponsors, Honeywell Staff and Guests from across North America will gather for three days of informative workshops, training, industry forums, tradeshow exhibits, and networking events.
You’ll gain insights and best practices on Honeywell technology, connected edge devices, IP-based building automation controllers and more. Plus, you’ll deepen your knowledge of The Internet of Things while networking with your peers, helping you feel more connected than ever. Join us in Orlando — we look forward to connecting with you!
April 12, 2018, at 8:00 am PT/11:00 am ET
It’s not smart buildings – but any commercial building built or have renovated in the past 30 years that you should worry about.
- Life Safety Risks
- Equipment Failure
- Productivity Loss
- Network Hopping
- Brand Damage
- Legacy Building Controls Technology and Connectivity
- Risk Areas and Consequences
- Stakeholders Roles and Responsibilities
- Case Study Examples
- Step by Step Plan to Remediate
Episode 255: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending Feb 18, 2018 features our interview and cyber security discussion with two of our industry’s most venerated experts from Intelligent Buildings, Darryl Benson and Fred Gordy. Darryl and Fred offer the ControlTrends Community some astute advice and pose an interesting question to system integrators: Do you want to maintain the cyber security risks [Read more…]
Homeland Security Advisory TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer. Original release date: November 14, 2017. Systems Affected: Network systems
Overview: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
For a downloadable copy of IOCs, see:
NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:
MAR IOCs (.stix)
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.
It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer
The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:
India (772 IPs) 25.4 percent
Iran (373 IPs) 12.3 percent
Pakistan (343 IPs) 11.3 percent
Saudi Arabia (182 IPs) 6 percent
Taiwan (169 IPs) 5.6 percent
Thailand (140 IPs) 4.6 percent
Sri Lanka (121 IPs) 4 percent
China (82 IPs, including Hong Kong (12) 2.7 percent
Vietnam (80 IPs) 2.6 percent
Indonesia (68 IPs) 2.2 percent
Russia (68 IPs) 2.2 percent
As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.
Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service’s registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.
Detection and Response
This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.
Network Signatures and Host-Based Rules
This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.
alert tcp any any -> any any (msg:”Malformed_UA”; content:”User-Agent: Mozillar/”; depth:500; sid:99999999;)
description = “Malformed User Agent”
$s = “Mozillar/”
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include
temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.
Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.
Response to Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
The Active Cyber Defense Certainty Act (ACDC) amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker.
A BILL To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Active Cyber Defense Certainty Act’’.
Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.
This new webinar focused on organizational best practices to mitigate risk.
There’s only one day left to register for our new TridiumTalk webinar focused on cybersecurity. Join us September 19 at 11:00 a.m. Eastern U.S. to learn how to develop a strategy to defend against cyber threats.
Tridium chief architect Kevin T. Smith, author of our new white paper Cybersecurity and the IoT—Threats, Best Practices and Lessons Learned, will be leading the TridiumTalk. Recognized industry expert James Johnson will be moderating and taking questions.
With the game-changing IoT, cybersecurity should be a concern for everyone.
Adding network connectivity to any “thing” adds tremendous value, but also brings potential risks to an organization.
Click here to download our new white paper. Kevin and James will cover this material and provide additional insight during the TridiumTalk.
We look forward to you joining us on September 19.