[BreachExchange] Threat group builds custom malware to attack industrial systems

[Matthew Wheeler]

https://www.theregister.com/2022/04/14/hackers-custom-malware-ics-scada/

Hackers have created custom tools to control a range of industrial control
system (ICS) and supervisory control and data acquisition (SCADA) devices,
marking the latest threat to a range of critical infrastructure in the
United States, according to several government agencies.

In an alert this week, the Cybersecurity and Infrastructure Security
Agency, (CISA), Department of Energy (DOE), National Security Agency (NSA),
and FBI said that some of the devices at risk including programmable logic
controllers from Schneider Electric and Omron Electronics as well as Open
Platform Communications Unified Architecture servers.

The tools enable threat groups to scan for, compromise, and eventually
control affected device after gaining initial access to an organization's
operational technology networks.

"Additionally, the actors can compromise Windows-based engineering
workstations, which may be present in information technology (IT) or OT
environments, using an exploit that compromises an ASRock motherboard
driver with known vulnerabilities," the agencies wrote in the alert.

"By compromising and maintaining full system access to ICS/SCADA devices,
APT [advanced persistent threat] actors could elevate privileges, move
laterally within an OT environment, and disrupt critical devices or
functions."

Cybersecurity firm Dragos identified the ICS-specific malware – which it
calls Pipedream – earlier this year through independent research and work
with partners.

Dragos researchers linked Pipedream to the threat group Chernovite.

The government agencies are urging critical infrastructure organizations –
particularly those in the energy sector – to put in place recommended
detection and mitigation processes, including using strong perimeter
controls to isolate ICS and SCADA system and networks from corporate and
internet networks and limit communications entering or leaving those
perimeters.

They also recommend using multifactor authentication for remote access to
ICS networks and devices.

Tim Erlin, vice president of strategy at cybersecurity firm Tripwire, told
that industrial organizations need to pay heed to the government's alert.

"It's important to note that while this alert calls out tools for gaining
access to specific industrial control systems, there's a bigger picture
threat that involves more of the industrial control environment," Erlin
said.

"Attackers need an initial point of compromise to gain access to the
industrial control systems involved, and organizations should build their
defenses accordingly."

Pointing to the extensive list of recommended mitigation processes, he
noted that protecting against the threat "isn't a matter of simply applying
a patch."

Backup frustration brought this CTO to forefront of ransomware protection

China accused of cyberattacks on Indian power grid

Fintech platform flaw could have allowed bank transfers, exposed data

US State Department opens cybersecurity policy bureau

Government agencies over the last couple of years have put a spotlight on
the cybersecurity threat to critical infrastructure within the United
States, with the 2021 ransomware attacks on energy provider Colonial
Pipeline and JBS Foods that had wide-ranging impacts in the country.

The threat has only grown with Russia's unprovoked invasion of Ukraine,
with agencies warning of a spillover affect from the cyberattacks Russia
and the threat groups it supports have launched against its neighbor.

The private sector also is moving to protect industrial systems in
industries' automotive, semiconductor, energy, banking and
telecommunications in particular. A new consortium called the Operational
Technology Cybersecurity Coalition (OTCSA) includes such corporations as
Coca-Cola, Honeywell and Blackberry and cybersecurity firms like Fortinet,
ABB and Check Point.

The goal is to collect and share information with consortium members and
government agencies.

In the latest alert, the agencies said the APT groups have created tools
with modular architectures that enable them to run automated exploits
against systems. The software includes a virtual console with a command
line interface that mirrors what's in the targeted devices.

"Modules interact with targeted devices, enabling operations by
lower-skilled cyber actors to emulate higher-skilled actor capabilities,"
they wrote. "The APT actors can leverage the modules to scan for targeted
devices, conduct reconnaissance on device details, upload malicious
configuration/code to the targeted device, back up or restore device
contents, and modify device parameters."

There also is a tool that installs and exploits a known flaw in
ASRock-signed motherboard driver, AsrDrv103. The tool exploits the
vulnerability tracked as CVE-2020-15368, executing malicious code in the
Windows kernel and enabling the APT actors to move laterally within an IT
or OT environment and disrupt critical devices and functions.

Dragos researchers wrote in a blog post that Pipedream is a "modular ICS
attack framework that an adversary could leverage to cause disruption,
degradation, and possibly even destruction depending on targets and the
environment."

The don't believe that Pipedream has yet been used in the wild, adding that
it can execute 38 percent of known ICS attack techniques and 83 percent of
known ICS attack tactics.

"While Chernovite is specifically targeting Schneider Electric and Omron
controllers, there could be other modules targeting other vendors as well
and Pipedream's functionality could work across hundreds of different
controllers," they wrote.

"Said simply, a focus on the equipment vendor is misplaced, and instead the
focus should be placed on the tactics and techniques the adversary is
leveraging."

Along with isolating ICS and SCADA systems and leveraging multifactor
authentication, the US agencies also are recommending such steps as having
a cyber-incident plan in place, changing all passwords to targeted devices
and systems and using strong passwords, maintain backups, implementing
strong log collection and retention from ICS and SCADA systems and ensuring
that applications are installed only when necessary for operation. ®
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220414/4e4df0af/attachment.html>