#backdoor

D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmware before 1.05B64; DSR-250 and DSR-250N with firmware before 1.08B44; and DSR-500, DSR-500N, DSR-1000, and DSR-1000N with firmware before 1.08B77 stores account passwords in cleartext, which allows local users to obtain sensitive information by reading the Users[#]["Password"] fields in /tmp/teamf1.cfg.ascii.

The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify settings via an xmlset_roodkcableoj28840ybtide User-Agent HTTP header, as exploited in the wild in October 2013.

The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.

Overview McAfee has published a white paper titled “Global Energy Cyberattacks: Night Dragon,”McAfee, http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf, accessed February 10, 2011.  which describes advanced persistent threat activity designed to obtain sensitive data from targeted organizations in the global oil, energy, and petrochemical industries. According to the report, this activity began in 2009 or potentially as early as 2007. Impact The threat McAfee identifies as Night Dragon focused specifically on the energy sector; however, the tools and techniques used by Night Dragon can be highly successful when targeting any industry. Other sectors may also be vulnerable and under similar persistent cyber espionage attacks. Background According to the report, the attacks have been ongoing since November 2009 and involve social engineering, spear-phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft ...

Overview An asset owner recently notified the ICS-CERT that a vendor support contractor had added an administrative-level account during installation of new control systems software. The support contractor intended the account to be the default used to train their people for all future work on those systems. The addition of an administrative account to an ICS network with the password known by a contract company increases the cybersecurity risk to the asset owner. This advisory highlights existing practices that may adversely impact the cybersecurity of industrial control systems (ICS) environments relative to malicious actors. Impact All control systems maintained by vendors, integrators, or other contractors can potentially be impacted by the practice of adding “back door” administrative accounts for future access to perform maintenance, updates, or training. The impact to individual sites may vary, but the potential exists for an administrator-level username and password used by sup...

Overview ICS-CERT has received reports and investigated infections of the MariposaDefence Intelligence, http://defintel.com/docs/MariposaAnalysis.pdf, website last accessed March 15, 2010. botnet, which have affected the business networks of multiple control system owners in recent months. ICS-CERT has no information to indicate that these infections have specifically targeted United States Critical Infrastructure and Key Resources (CIKR), or any specific sector or organization. Background In May 2009, Defence Intelligence announced the discovery of a botnet, called “Mariposa.” An investigation followed this discovery and targeted bringing down the criminal network behind what has become one of the largest botnets on record. After months of investigation by the Guardia Civil in Spain, the FBI, security firm Panda Security, and Defence Intelligence, authorities took down a 12.7 million strong zombie network in December. In February 2010, Spanish authorities arrested three suspects in Sp...