August 23, 2016
Ports in the US have reported attacks using an SQL injection flaw made public by a hacker known as bRpsd, who released a fully working exploit online without notifying the vendor in advance.
Following these events, ICS-CERT, the US-CERT division in charge of security alerts for industrial control systems (ICS), has issued advisories regarding the vulnerability’s existence and the ongoing series of attacks.
The affected application is Navis WebAccess, the Web-based component of the Navis maritime transportation logistics software suite, sold by the Cargotec Corporation.
Hacker dumps fully working Navis SQLi exploit code on Exploit-DB
ICS-CERT says the company became aware of the SQL injection zero-day on August 9, a day after bRpsd published his proof-of-concept code.
The Navis team released a patch on August 10 and started notifying customers. According to Cargotec, there are only 13 companies across the world currently deploying Navis software, five of them in the US.
A quick Google search reveals the Navis panels of at least three US companies. One of the companies that deploy Navis is Ports America, a corporation that manages 42 ports across the US and Canada, in 80 different locations, including large maritime hubs such as New York, Los Angeles, Miami, New Orleans, Boston, Portland, San Diego, Tampa, Vancouver, Houston, Jacksonville, and many more.
The notification didn’t come fast enough, and some ports reported attacks using the SQL injection.