Ukraine Electric Grid Attack Techniques Revealed and Explained

[silicon_toad2000]

The first in-depth report on the Ukraine hack was published this morning by NERC's Electricity Sector Information Sharing and Analysis Center.
Infrastructure companies can use the report to perform gap analyses matching their defenses against the attack vectors that have now been clarified by the three top technical experts in industrial control systems security: Assante, Conway and Williams.
Given that level of expertise and transparency, regulatory agencies will quickly begin asking utility CEOs to demonstrate how they are closing the gaps that would make their companies vulnerable to life-changing power outages.
Without power, the economies and governments of developed countries would be immobilized. Suzanne Spaulding, DHS Undersecretary for National Protection concurs, saying she hopes the report will be a reality-check for US critical infrastructure owners. "I want ... [executives to say], 'what are we doing about this?'" to prevent similar attacks.

http://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743

[White Stripes]

Like most targeted attacks, the Ukraine power grid attack began with a phishing email containing a malware-rigged attachment. In this case, Word Documents and Excel spreadsheets that when opened by users in the companies’ business network, dropped BlackEnergy3 malware

so.. once again... it was microsoft epic fail and pebkac...

[silicon_toad2000]

couldn't a .zip file do the same?

[White Stripes]

if you found a flaw in the archive program that was used... still has to pop out of user space and into administrator to do anything effective tho... this is where microsoft epic fails

http://arstechnica.com/information-technology/2010/03/half-of-windows-flaws-mitigated-by-removing-admin-rights/

After tabulating all the vulnerabilities published in Microsoft's 2009 Security Bulletins, it turns out 90 percent of the vulnerabilities can be mitigated by configuring users to operate without administrator rights, according to a report by BeyondTrust. As for the published Windows 7 vulnerabilities through March 2010, 57 percent are no longer applicable after removing administrator rights. By comparison, Windows 2000 is at 53 percent, Windows XP is at 62 percent, Windows Server 2003 is at 55 percent, Windows Vista is at 54 percent, and Windows Server 2008 is at 53 percent. The two biggest exploited Microsoft applications also fare well: 100 percent of Microsoft Office flaws and 94 percent of Internet Explorer flaws (and 100 percent of IE8 flaws) no longer work.

(emphasis mine)

old article is old but the fact that, at least at its publication, 40 to 50% of flaws could bypass user is sickening (hence epic fail) but at least the browser and office suite is (was?) pretty well protected... disabling things like powershell (an apparent malware magnet that has no business being on a workstation) and wow64 (ability to run 32bit code on 64bit windows) would be good ideas... for starters...

[White Stripes]

...and after some research apparently only windows server 2008 actually allows disabling wow64 ... huge missed opportunity

[silicon_toad2000]

Microsoft has added a feature to Office 2016 that allows enterprise
administrators to block macros from executing. The feature can be
configured for each application and is controlled through Group Policy.
It can be used to disable macros in documents that come from the
Internet zone.
http://www.theregister.co.uk/2016/03/23/ms_macro_blocking_tech/

[White Stripes]

Microsoft has added a feature to Office 2016 that allows enterprise
administrators to block macros from executing. The feature can be
configured for each application and is controlled through Group Policy.
It can be used to disable macros in documents that come from the
Internet zone.
http://www.theregister.co.uk/2016/03/23/ms_macro_blocking_tech/

took them long enough ... what about all the previous versions still in use tho?

[silicon_toad2000]

i guess they want you to upgrade...