Banks in Russia today were the target of a massive phishing campaign Attack.Phishing that aimed to deliver a tool used by the Silence group of hackers . The group is believed to have a background in legitimate infosec activities and access to documentation specific to the financial sector . The fraudulent emails purported to come Attack.Phishing from the Central Bank of Russia ( CBR ) and contained a malicious attachment . The message body lured Attack.Phishing the recipients to open the attachment in order to check the latest details on the `` standardization of the format of CBR 's electronic communications . '' Email authentication mechanism saves the day International cybersecurity company Group-IB investigated the attack and noticed that the style and format of the fake communication were very similar to the official CBR correspondence . This supports the theory that the attackers had access Attack.Databreach to legitimate emails from CBR . If Silence hackers have any ties with the legal side of reverse engineering and penetration testing , it is very likely that they are familiar with the documentation used by financial institutions and with how banking systems work . In a report published today , Group-IB says that the attackers spoofed Attack.Phishing the sender 's email address but the messages did not pass the DKIM ( DomainKeys Identified Mail ) validation . DKIM is a solution specifically designed to prevent forged email addresses by adding to the message a signature that confirms its authenticity . Banks see more spear-phishing Attack.Phishing from a different group The Silence hackers are not the only ones trying their spear-phishing Attack.Phishing game on Russian banks . On October 23 , another notorious group , MoneyTaker , ran a similar campaign against the same type of targets . Their message spoofed Attack.Phishing an email address from the Financial Sector Computer Emergency Response Team ( FinCERT ) and contained five attachments disguised as Attack.Phishing documents from CBR . `` Three out of five files were empty decoy documents , but two contained a download for the Meterpreter Stager . To carry out the attack , hackers used self-signed SSL certificates , '' says Rustam Mirkasymov , Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert . These clues , along with server infrastructure associated with the MoneyTaker group , allowed the security experts to identify the perpetrator . As in the case of Silence , this attacker is also thought to have had access Attack.Databreach to CBR documents , most likely from compromised inboxes of Russian banks employees . This allowed them to craft Attack.Phishing messages that would pass even eyes trained in spotting fraudulent emails . Silence and MoneyTaker are the most dangerous threats to banks According to Group-IB , multiple groups use the Central Bank of Russia in spear-phishing Attack.Phishing operations , and for good reason , since the organization dictates regulations to financial institutions in the country and maintains a constant communication flow with them . Mirkasymov says that Silence and MoneyTaker are the most dangerous of all groups that threaten financial organizations . Referring to the latter , the expert says that its repertoire also includes drive-by attacks and testing the network for vulnerabilities . The goal is to access the internal nodes that enable them to withdraw money from ATMs , process cards or interbank transfers . Although Silence uses mainly phishing Attack.Phishing , they are more careful about crafting Attack.Phishing the message , paying attention to both content and design , adds Group-IB 's threat intelligence expert .

The industrial company on Tuesday released Vulnerability-related.PatchVulnerability mitigations for eight vulnerabilities overall . Siemens AG on Tuesday issued Vulnerability-related.PatchVulnerability a slew of fixes addressing Vulnerability-related.PatchVulnerability eight vulnerabilities spanning its industrial product lines . The most serious of the patched flaws include a cross-site scripting vulnerability in Siemens ’ SCALANCE firewall product . The flaw could allow an attacker to gain unauthorized access Attack.Databreach to industrial networks and ultimately put operations and production at risk . The SCALANCE S firewall is used to protect secure industrial networks from untrusted network traffic , and allows filtering incoming and outgoing network connections in different ways . Siemens S602 , S612 , S623 , S627-2M SCALANCE devices with software versions prior to V4.0.1.1 are impacted Vulnerability-related.DiscoverVulnerability . Researchers with Applied Risk , who discovered Vulnerability-related.DiscoverVulnerability the flaw , said Vulnerability-related.DiscoverVulnerability that vulnerability exists in Vulnerability-related.DiscoverVulnerability the web server of the firewall software . An attacker can carry out the attack by crafting Attack.Phishing a malicious link and tricking Attack.Phishing an administrator – who is logged into the web server – to click that link . Once an admin does so , the attacker can execute commands on the web server , on the administrator ’ s behalf . “ The integrated web server allows a cross-site scripting attack if an administrator is misled Attack.Phishing into accessing a malicious link , ” Applied Risk researcher Nelson Berg said in Vulnerability-related.DiscoverVulnerability an analysis Vulnerability-related.DiscoverVulnerability of the flaw . “ Successful exploitation may lead to the ability to bypass critical security measures provided by the firewall. ” Exploitation of this vulnerability could ultimately enable threat actors to bypass critical security functions provided by the firewall , potentially providing access to industrial networks and putting operations and production at risk . The vulnerability , CVE-2018-16555 , has a CVSS score which Applied Risk researcher calculates Vulnerability-related.DiscoverVulnerability to be 8.2 ( or high severity ) . That said , researchers said Vulnerability-related.DiscoverVulnerability a successful exploit is not completely seamless and takes some time and effort to carry out – for an attacker to exploit the flaw , user interaction is required and the administrator must be logged into the web interface . Researchers said Vulnerability-related.DiscoverVulnerability that no exploit of the vulnerability has been discovered Vulnerability-related.DiscoverVulnerability thus far . Siemens addressed Vulnerability-related.PatchVulnerability the reported vulnerability by releasing Vulnerability-related.PatchVulnerability a software update ( V4.0.1.1 ) and also advised customers to “ only access links from trusted sources in the browser you use to access the SCALANCE S administration website. ” The industrial company also released Vulnerability-related.PatchVulnerability an array of fixes for other vulnerabilities on Tuesday . Overall , eight advisories were released by the US CERT . Another serious vulnerability ( CVE-2018-16556 ) addressed Vulnerability-related.PatchVulnerability was an improper input validation flaw in certain Siemens S7-400 CPUs . Successful exploitation of these vulnerabilities could crash the device being accessed which may require a manual reboot or firmware re-image to bring the system back to normal operation , according to the advisory . “ Specially crafted packets sent to Port 102/TCP via Ethernet interface , via PROFIBUS , or via multi-point interfaces ( MPI ) could cause the affected devices to go into defect mode . Manual reboot is required to resume normal operation , ” according to US Cert . An improper access control vulnerability that is exploitable Vulnerability-related.DiscoverVulnerability remotely in Siemens IEC 61850 system configurator , DIGSI 5 , DIGSI 4 , SICAM PAS/PQS , SICAM PQ Analyzer , and SICAM SCC , was also mitigated Vulnerability-related.PatchVulnerability . The vulnerability , CVE-2018-4858 , has a CVSS of 4.2 and exists in Vulnerability-related.DiscoverVulnerability a service of the affected products listening on all of the host ’ s network interfaces on either Port 4884/TCP , Port 5885/TCP , or Port 5886/TCP . The service could allow an attacker to either exfiltrate Attack.Databreach limited data from the system or execute code with Microsoft Windows user permissions . Also mitigated Vulnerability-related.PatchVulnerability were an improper authentication vulnerability ( CVE-2018-13804 ) in SIMATIC IT Production Suite and a code injection vulnerability ( CVE-2018-13814 ) in SIMATIC Panels and SIMATIC WinCC that could allow an attacker with network access to the web server to perform a HTTP header injection attack .