The CyberX-Files – Issue #2
Digest of notable ICS cybersecurity content — curated by CyberX’s ICS security geeks
Here’s the second issue of The CyberX-Files — our monthly digest of news, research and analysis related to ICS, SCADA and OT security.
In this newsletter, you’ll find the latest thought-provoking and informative articles from the world of industrial cybersecurity.
As always, the CyberX team looks forward to your feedback!
In This Newsletter
- Industrial Safety Systems in the Bullseye
- Critical Infrastructure Firms Could Face Stiff Fines if they Fail to Comply with U.K. Gov’t Directive
- Vulnerable Industrial Controls Directly Connected to Internet? Why Not?
- Researchers Offer a VirusTotal for ICS
- Q&A: What CyberX is Doing to Help Address the Hackable State of Industrial Control Systems
- Triton Malware Exploited Zero-Day in Schneider Electric Devices
- Web Server Used in 100 ICS Products Affected by Critical Flaw
- Cryptocurrency Miners Not Uncommon on Industrial Systems
- The Triton Malware Framework – Reverse-Engineering a Recent ICS Cyberattack
ICS/SCADA/OT Security News
- TRITON/TRISIS joins the annals of game-changer industrial malware attacks like Stuxnet and BlackEnergy3 that ultimately led to sabotaging industrial processes of their targets.
- While TRITON/TRISIS was created to target a specific model and firmware version of Schneider’s Triconex Tricon safety instrumented systems (SIS), this type of attack could be retooled to target other major ICS/SCADA vendors’ SIS products and customers.
- “The interesting thing about safety and protection systems is they provide an opportunity for very simple, basic denial-of-service attacks,” says Ralph Langner, founder and CEO of Langner Communications. “If your goal is to shut down a plant, there are easier ways to do that than attack the safety systems … not even to attack it, but to trigger a shutdown condition.”
- Security experts warn that there are also much simpler ways to compromise industrial operations such as via remote access to ICS networks. If an attacker gets onto the network, there’s generally not that much security around the controllers themselves.
Critical Infrastructure Firms Could Face Stiff Fines if they Fail to Comply with U.K. Gov’t Directive
- The British government warned critical industries like energy, transport and water that they need to strengthen cybersecurity in order to avoid fines of up to £17 million.
- The government has set cybersecurity as a priority aiming to increase the resilience of the country’s critical infrastructure, especially when it comes to nation-state sponsored attacks.
- The quickest way to bolster security is to continuously monitor activity on all systems.
- In addition to appointing regulators, the government boasted a new reporting system so that companies can more easily disclose cyber breaches and IT failures.
- The National Cyber Security Centre published guidance with 14 key principles to give clear advice about how to comply with the new cybersecurity regulations.
- Siemens released an update warning that their SIMATIC S7-300 and S7-400 PLCs are vulnerable to remote attacks that could allow someone to obtain login credentials to the system or reset it into a “defect” mode, shutting down the controller—essentially executing a DoS attack on whatever equipment it is attached to.
- A survey of devices using the Shodan search engine revealed that over 1,000 Siemens systems are directly accessible from the Internet via open TCP port 102.
- Many of the Siemens industrial control systems are easy targets for cybercriminals because they do not have the firmware updates required to mitigate the cyberthreats.
- Ralph Langner tweeted that, in any case, these Siemens devices are vulnerable by default — whether or not they’ve been patched.
CyberX In The News
- At the S4x18 ICS cybersecurity conference in Miami, CyberX’s research team announced a cloud-based service for analyzing and detecting ICS malware.
- The ICS sandbox simulates real-world industrial networks, allowing ICS malware to execute and unpack, and then detects telltale malicious activities such as OPC scanning or overwriting PLC configuration files.
- Existing network sandbox technology for IT environments (such as VirusTotal), often misses ICS-specific malware because it doesn’t account for OT protocols and devices, and doesn’t simulate OT components.
- CyberX’s ICS malware sandbox tool is aimed at more efficiently spotting ICS-specific malware, and can simulate the types of traffic to and from a PLC, for example, as its honeypot function. That allows the malware to execute in a safe space while unpacking and uncovering its functions and matching them with other known variants. The tool includes OT software, virtualized ICS processes and files, and a low-interaction ICS network (the honeypot element).
- As Ralph Langner, a top Stuxnet expert, noted: the first variant of Stuxnet was sent to VirusTotal in 2007 but the malware was not discovered until 2012. “I strongly support the idea of a VirusTotal for ICS malware,” says Langner.
The Last Watchdog
This conversation between Byron Acohido, a Pulitzer-winning journalist, and Phil Neray, CyberX’s VP of Industrial Cybersecurity, explores the current state of ICS security and why the vulnerability of OT networks has been elevated as an issue of substantive concern. The article addresses key ICS security topics such as:
- Why has OT security taken a back seat to IT security for so long?
- How is OT security different than IT security?
- What does CyberX bring to the table?
- The malware was discovered after it caused a shutdown at an organization in the Middle East.
- Schneider Electric informed its customers that Triton exploited zero-day vulnerabilities in their Triconex SIS devices.
- The company said the malware is capable of scanning and mapping the control systems to provide reconnaissance and issue commands to Tricon controllers.
- The malware deploys a Remote Access Trojan (RAT) onto the PLC that enables attackers to control the PLC via a remote network connection (as if by physical access).
- While it hasn’t been determined who sponsored the campaign, CyberX believes the malware was developed by Iran and targeted an organization in Saudi Arabia.
- The latest flaw affects the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product, which allows users to view human-machine interfaces (HMIs) for PLCs in a web browser.
- The stack-based buffer overflow vulnerability could allow an attacker to cause a DoS condition and execute arbitrary code on the web server.
- The WebVisu product is used in 116 PLCs and HMIs from roughly 50 vendors, including Schneider Electric, WAGO, Hitachi, Advantech, Beck IPC, Berghof Automation, Hans Turck, and NEXCOM.
- Vulnerabilities in CODESYS components are not uncommon. Last April, industrial cybersecurity firm CyberX uncovered several critical flaws in the CODESYS web server.
- CyberX used Shodan to locate a European wastewater facility infected with cryptocurrency mining malware.
- The threat was found on an HMI device running GE CIMPLICITY software, and CyberX managed to grab a screenshot of the infected HMI.
- While the infection vector is not known, CyberX VP of Research David Atch pointed out that older versions of the CIMPLICITY software are affected by CVE-2014-0751, a path traversal vulnerability that can be exploited for arbitrary code execution.
- The same flaw was exploited a few years ago by Russia-linked hackers to deliver the Black Energy malware. “Although it’s widely believed that Black Energy was developed by a state-sponsored hacking group (most likely Sandworm aka Telebots), the vulnerability is relatively easy to exploit and therefore it’s easy to imagine that non-state actors such as cybercriminal organizations now have access to tools that can exploit the same vulnerability,” Atch explained.
Research & Technology News
The analysis of the TRITON malware code conducted by the CyberX research team leads us to believe the TRITON malware itself is only a small part of a planned larger attack. The conclusions from this research are:
- The TRITON ICS cyberattack exhibited an entirely new level of Stuxnet-like sophistication.
- The attackers exploited a zero-day in the PLC firmware in order to inject a Remote Access Trojan (RAT) with escalated privileges into the firmware memory region of the controller — without interrupting its normal operation and without being detected.
- The purpose of the RAT was to enable persistent access to the controller, even when the physical key was turned to RUN mode — which is designed to prevent unauthorized updates to the PLC code — rather than PROGRAM mode.
- Although TRITON was a targeted attack designed to compromise particular Schneider Electric devices, this tactic is now available to other adversaries — who can design similar malware attacking a broader range of controller types and industrial automation manufacturers.
- Snort signatures (see blog post) can be used to detect TRITON communication in your ICS network, but continuous monitoring is required to prevent similar attacks (that use different protocols) in the future.
Founded by military cyber experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed industrial cybersecurity platform for continuously reducing ICS risk. The CyberX platform combines an embedded understanding of industrial devices, protocols, and applications with ICS-specific continuous monitoring and anomaly detection, asset and network topology discovery, risk and vulnerability management, automated threat modeling, and threat intelligence.
To see CyberX’s OT security platform in action, request a demo here.