Monday, July 30, 2012

Wednesday, July 25, 2012

WinCC default password: 7 years long story

Siemens recently published advisory about vulnerability in WinCC. Default hardcoded MS SQL passwords ('WinCCConnect/2WSXcder', 'WinCCAdmin/2WSXcde.')was used by StuxNet worm for infection. This vulnerability was fixed long time ago in SIMATIC WinCC V7.0 SP2 Update 1 (V Current patchlevel for WinCC is V7.0 SP3 Update 2. Looks like this is kindly reminder.
JFYI, this vulnerability wide known for 7 years from May 2005. First time it published on Siemens forum and publicly disclosed in April 2008.

Link and screenshot for history:

So correct credits for advisory: Max Prilepsky & Cyber.

PS. Mikko - perfect Cyrillic screen for you slides!

PPS. AC/DC? No way!

Tuesday, July 24, 2012

How to pwn nuclear plant with metasploit?

Mikko Hypponen wrote:

"...I received a series of emails from Iran. ... Atomic Energy Organization of Iran (AEOI)....

He wrote:

I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down...I believe it was playing 'Thunderstruck' by AC/DC...

Looks like somebody know our secret and can pwn nuclear plant with metasploit.

2 Mikko:

Mikko, we know, you likes Russian guys, but this totally different case. It's not our fault. Really.

A: No way!

Sunday, July 8, 2012

XSS in HMI? So what?

Sometimes XSS  (and other client-side) very useful! Can help to exploit server-side vulnerabilities. Operator’s browser is proxy to SCADAnet!

Question: Anybody works with SCADA and Internet using same browser?
Correct answer: Yes!