Threat group builds custom malware to attack industrial systems

US security agencies say the tools can give hackers control of ICS and SCADA devices

Hackers have created custom tools to control a range of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, marking the latest threat to a range of critical infrastructure in the United States, according to several government agencies.

In an alert this week, the Cybersecurity and Infrastructure Security Agency, (CISA), Department of Energy (DOE), National Security Agency (NSA), and FBI said that some of the devices at risk including programmable logic controllers from Schneider Electric and Omron Electronics as well as Open Platform Communications Unified Architecture servers.

The tools enable threat groups to scan for, compromise, and eventually control affected device after gaining initial access to an organization's operational technology networks.

"Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities," the agencies wrote in the alert.

"By compromising and maintaining full system access to ICS/SCADA devices, APT [advanced persistent threat] actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions."

Cybersecurity firm Dragos identified the ICS-specific malware – which it calls Pipedream – earlier this year through independent research and work with partners.

Dragos researchers linked Pipedream to the threat group Chernovite.

The government agencies are urging critical infrastructure organizations – particularly those in the energy sector – to put in place recommended detection and mitigation processes, including using strong perimeter controls to isolate ICS and SCADA system and networks from corporate and internet networks and limit communications entering or leaving those perimeters.

They also recommend using multifactor authentication for remote access to ICS networks and devices.

Tim Erlin, vice president of strategy at cybersecurity firm Tripwire, told that industrial organizations need to pay heed to the government's alert.

"It's important to note that while this alert calls out tools for gaining access to specific industrial control systems, there's a bigger picture threat that involves more of the industrial control environment," Erlin said.

"Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations should build their defenses accordingly."

Pointing to the extensive list of recommended mitigation processes, he noted that protecting against the threat "isn't a matter of simply applying a patch."

Government agencies over the last couple of years have put a spotlight on the cybersecurity threat to critical infrastructure within the United States, with the 2021 ransomware attacks on energy provider Colonial Pipeline and JBS Foods that had wide-ranging impacts in the country.

The threat has only grown with Russia's unprovoked invasion of Ukraine, with agencies warning of a spillover affect from the cyberattacks Russia and the threat groups it supports have launched against its neighbor.

The private sector also is moving to protect industrial systems in industries' automotive, semiconductor, energy, banking and telecommunications in particular. A new consortium called the Operational Technology Cybersecurity Coalition (OTCSA) includes such corporations as Coca-Cola, Honeywell and Blackberry and cybersecurity firms like Fortinet, ABB and Check Point.

The goal is to collect and share information with consortium members and government agencies.

In the latest alert, the agencies said the APT groups have created tools with modular architectures that enable them to run automated exploits against systems. The software includes a virtual console with a command line interface that mirrors what's in the targeted devices.

"Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities," they wrote. "The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters."

There also is a tool that installs and exploits a known flaw in ASRock-signed motherboard driver, AsrDrv103. The tool exploits the vulnerability tracked as CVE-2020-15368, executing malicious code in the Windows kernel and enabling the APT actors to move laterally within an IT or OT environment and disrupt critical devices and functions.

Dragos researchers wrote in a blog post that Pipedream is a "modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment."

The don't believe that Pipedream has yet been used in the wild, adding that it can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics.

"While Chernovite is specifically targeting Schneider Electric and Omron controllers, there could be other modules targeting other vendors as well and Pipedream's functionality could work across hundreds of different controllers," they wrote.

"Said simply, a focus on the equipment vendor is misplaced, and instead the focus should be placed on the tactics and techniques the adversary is leveraging."

Along with isolating ICS and SCADA systems and leveraging multifactor authentication, the US agencies also are recommending such steps as having a cyber-incident plan in place, changing all passwords to targeted devices and systems and using strong passwords, maintain backups, implementing strong log collection and retention from ICS and SCADA systems and ensuring that applications are installed only when necessary for operation. ®

Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Google location tracking to forget you were ever at that medical clinic
    Plus: Cyber-mercenaries said to target legal world, backdoor found on web servers, and more

    In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.

    In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.

    Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.

    Continue reading

Biting the hand that feeds IT © 1998–2022