Yesterday DHS ICS-CERT published an updated Joint Security Awareness Report (JSAR) on Shamoon and an advisory for an Optimalog vulnerability reported last year by Luigi.
US-CERT/ICS-CERT updated their earlier advisory on Shamoon. The new version adds almost three pages of mitigation measures that organizations can take to protect themselves (actually only reduce their vulnerability) against a Shamoon attack. The JSAR divides the mitigations into ‘tactical’ and ‘strategic’ measures. The measures are an interesting mixture of the common (‘Ensure that password policy rules are enforced…’), the old school (‘Execute daily backups of all critical systems.’) and new form (‘the whitelisting of legitimate executable directories…’) security measures. Implementing all of the recommended actions will require a lot of work, particularly training.
There still isn’t anything in the JSAR that reports any specific ties of the Shamoon to control systems. Of course with the small number of reported infections it is hard to tell exactly what may or may not be at risk. At this point this is a low probability high consequence threat. That makes one question the need to spend the time and money to implement the listed mitigations. I guess that’s what CSO’s get the big money for.
Last November ICS-CERT published an alert based upon an uncoordinated disclosure by Luigi for the Optima APIFTP Server system. Yesterday ICS-CERT published an advisory on the twin vulnerabilities; a null pointer dereference and a loop with unreachable exit condition. ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploit to remotely execute a denial of service attack.
Optimalog has released a new version that no longer installs the APIFTP server by default. If the APIFTP is to be used, Optimalog recommends configuring “the firewall and VPN accordingly”. There is no link to any Optimalog document or site that details that ‘accordingly’.
This advisory mentions Luigi’s uncoordinated disclosure but does not provide links to Luigi’s web page describing the vulnerability. Nor does it actually mention the original alert. The latter is unusual, but I thought that ICS-CERT had finally gotten it through their collective head that they had an obligation to give appropriate credit to the intellectual property that forms the basis of their report. Reid Wightman got credit last week, but Luigi doesn’t this week. I’m starting to see a pattern here; Digital Bond and the Washington Post carry enough weight to demand acknowledgement, an independent researcher doesn’t.