CI-SOC Expands Robotron Advisory

Today, at an unusual afternoon press conference, Gen Turgidson, the Director of the Director for the National Critical Infrastructure Security Operations Center (CI-SOC), announced that on-going investigations related to yesterday’s announcement by Robotron had determined that a number of other vendor products were affected by the underlying JavaScript vulnerability. “We have already identified seven products from three other vendors that have SMS reporting tools that allow the exfiltration of system configuration files.” Turgidson told reporters. A new alert published today by CI-SOC did not name the vendors or products that have been identified. A CI-SOC spokesperson speaking on background said that the government was working with the vendors to develop mitigation measures and did not want their names released until such fixes were available. “We expect to announce those mitigation measures within the next couple of days,” she told reporters. The alert does note that any organization that has an industrial control system, building control system or security system that provides SMS alerts containing .PNG images of HMI screens associated with those alerts should contact CI-SOC. According to the alert, CI-SOC has a relatively simple test available that identifies active exploits of the JavaScript vulnerability. Turgidson explained to reporters that the exploit of this vulnerability was a precursor tosome sort of potential future attack. “The configuration data would provide attackers insights into the cybersecurity weaknesses at the affected facilities that could potentially be exploited by a wide variety of potential actors, the General said. In a series of messages, cYberg0d, the researcher who originally reported the vulnerability being exploited, explained to me that the JavaScript module that they identified was designed to search for a number of specific control system related devices and copy their configuration files. The information would then be encoded in a .PNG file and sent to one of a series of cell phone numbers hardcoded in the module. When asked if this did not make the attacker vulnerable, Cyberg0d said that both the phone list and target systems had been changed in the module at least twice since he originally identified the problem. “The phones for the old numbers have probably been destroyed.” Johnathan Quest, spokesperson for the Federal Bureau of Inquiry confirmed that the FBI was working with CI-SOC to try to identify the identity of the attackers. “We are also working with a number of cybersecurity firms to keep an eye on the facilities that we have identified as being impacted by this problem,” Quest explained; “We are hoping to prevent any subsequent attacks on these facilities.” CAUTIONARY NOTE: This is a future news story –Future ICS Security NewsRead More