Network Vision Fixes Code Injection Vulnerability in IntraVUE Software
Posted on February 27, 2015 by Kara Dunlap in Security
Organizations that use the IntraVUE network visualization software from Network Vision are advised to update their installations as soon as possible because older versions of the solution are plagued by a critical vulnerability.
A code injection flaw (CVE-2015-0977) has been found in IntraVUE by Jürgen Bilberger from Daimler TSS GmbH, a security researcher who has discovered and reported vulnerabilities in several industrial control system (ICS) products over the past years.
According to an advisory from ICS-CERT, a remote, unauthenticated attacker can exploit the vulnerability to execute arbitrary operating system commands that could impact the availability, integrity, and confidentiality of affected servers.
This is a high-severity vulnerability with a CVSS base score of 10. Even an attacker with low skill could leverage the bug, but there is no evidence that an exploit is publicly available, ICS-CERT noted.
The security hole affects all Windows versions of IntraVUE prior to 2.3.0a14. The issue has been addressed with the release of IntraVUE 2.3.0a14 on February 9. In the meantime, Network Vision also released version 2.3.0a16, which brings some functionality improvements.
“It is recommended that the new version be applied as soon as possible. Users who have software support contracts with Network Vision can upgrade to the newest version at no cost,” reads the advisory from ICS-CERT.
Network Vision is a Newburyport, Massachusetts-based company that provides industrial Ethernet solutions for sectors such as automation, critical manufacturing, transportation, and water systems.
IntraVUE, the company’s flagship product, is designed to provide Ethernet device visualization and enable organizations to quickly identify issues affecting devices deployed in distributed and hostile environments. The solution can be used to identify duplicate MAC and IP addresses, connection or application faults, device or cable moves, and unauthorized connections.
Njw0rm Source Code Used to Create New RATs
Posted on January 23, 2015 by Kara Dunlap in Security
Malware developers have used the source code of the remote access tool (RAT) Njw0rm to create two new RATs, researchers at Trend Micro reported on Thursday.
Njw0rm is a variant of njRAT, a tool believed to be developed by a Kuwait-based individual. In June 2014, Microsoft announced the results of an operation targeting njRAT (Bladabindi) and Njw0rm (Jenxcus). At the time, the company noted that cybercriminals could create their own versions of the malware because the necessary information and packages were available on public forums.
Trend Micro says the source code of Njw0rm was published on hacker forums in May 2013, after which cybercriminals started creating new pieces of malware based on the threat.
One of the new RATs is Kjw0rm. Version 2.0 of the malware was first spotted by the security firm in January 2014. Kjw0rm 0.5X and a new worm dubbed Sir DoOom emerged in December 2014.
The new pieces of malware come with an enhanced control panel and they include several new features not seen in Njw0rm. In addition to information on the victim’s IP address, location, operating system, and USB devices, Kjw0rm’s control panel includes data on installed antiviruses (v2.0) and the presence of the .NET framework (v0.5x). Sir Do0om, on the other hand, also provides the botmaster with information on RAM, firewalls, antiviruses, CPU/GPU, and product details (name, ID, key).
As far as functions are concerned, Njw0rm can execute commands and files, steal credentials, and receive updates from the attacker. The Kjw0rm RATs allow their master to shut down or restart the computer, open Web pages, and download and execute files and code.
Sir Do0om is even more interesting since it can be used to mine Bitcoin, launch DDoS attacks, control computers based on a timer, display messages, terminate antivirus processes, and open a website related to Quran, the central religious text of Islam. This RAT is also designed to terminate itself if the presence of a virtual machine is detected.
Just like Njw0rm, the new threats are designed to propagate via removable devices. They hide some or all the folders found on the infected device and create shortcut links pointing to the malware with the names of the hidden folders.
“This evolution shows that the malware authors are becoming more active in developing new malware and using njw0rm as a template. Because of this pattern, we can expect to see more variants of this malware in the future,” Trend Micro threat response engineer Michael Marcos said in a blog post.