Critical Infrastructure

DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit

Attackers have been going after various pieces of the DNS infrastructure for a long time now, and it’s not unusual for there to be somewhat organized campaigns that target certain vertical industries or geographic regions. But researchers lately have been seeing an interesting pattern of compromises in which attackers somehow add new names to existing domains and use those sub-domains to piggyback on the good reputation of the sites and push counterfeit goods, pills and other junk. And now they’re using the attack to push exploits via the Black Hole Exploit Kit.

Another certificate authority in The Netherlands has been hacked, though this time the attack does not appear to have affected the certificate-issuing operations of Gemnet, a subsidiary of KPN. The company, which does business with the Dutch government among other organizations, said it has taken its Web site offline while it investigates the attack.

The security industry has no shortage of hard problems to solve, but the one that’s getting the most attention right now is finding a way to improve, or ideally, replace, the CA infrastructure. The latest in what has become a series of recent proposals to help shore up the certificate authority system comes from a pair of Google security researchers who have laid out a plan for providing auditable public logs of certificates as well as proofs for each certificate that’s issued.

The United States Department of Homeland Security cried foul yesterday morning, debunking claims from both the Illinois Statewide Terrorism and Intelligence Center (STIC) and Applied Control Solutions that a water station in Illinois was hacked earlier this month.

A flurry of reports late last week described an attack on an unnamed Springfield, Ill. water treatment facility where the plant’s supervisory control and data acquisition software (SCADA) were compromised by Russian computers.

Siemens said on Tuesday that it is working with the U.S. Department of Homeland Security to investigate a cyber intrusion into a water treatment plant in South Houston, Texas, but couldn’t confirm that a default, three digit password hard coded into an application used to control the company’s SCADA software played a role. 

Duqu has been called the spawn of Stuxnet, or maybe some sort of stepchild or second cousin. That initial analysis came from some similarities in the [img_assist|nid=10273|title=Costin Raiu|desc=|link=none|align=left|width=100|height=100]code of the two attack tools, and now that researchers have had more time to pull Duqu apart and see how it works, it seems more and more likely that the two were written by the same group. In the second part of an interview with Costin Raiu, who has done a lot of research on Duqu, Threatpost editor Dennis Fisher talks with Raiu about the similarities to Stuxnet, the targets for Duqu and why the authors may have made a key mistake.

07/21/18 8:00
How #cyberinsurance changes the conversation around risk:

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.