Search results

Tuesday, August 14, 2018 @ 11:08 AM gHale

Siemens has an update for its SIMATIC STEP 7 (TIA Portal) and SIMATIC WinCC (TIA Portal) that fixes two vulnerabilities, according to a report with Siemens ProductCERT.

The vulnerabilities could either allow an attacker with local file write access to manipulate files and cause a denial-of-service (DoS) or execute code on the manipulated installation and on devices configured using the manipulated installation.

RELATED STORIES
NetComm Fixes Wireless Router Holes
Crestron Updates TSW-X60, MC3 Firmware
Delta Electronics Fixes 2 Holes
Medtronic Not Updating Insulin Pump Holes

The Totally Integrated Automation Portal (TIA Portal) is PC software that provides unrestricted access to the complete range of Siemens digitalized automation services, from digital planning and integrated engineering to transparent operation. Younes Dragoni from Nozomi Networks discovered the vulnerability.

Affected products include:
• SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V10, V11, V12: All versions
• SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V13: All versions
• SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V14: All versions less than V14 SP1 Update 6
• SIMATIC STEP 7 (TIA Portal) and WinCC (TIA Portal) V15: All versions less than V15 Update 2

In one vulnerability, an improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to insert specially crafted files which may prevent TIA Portal startup (DoS) or lead to local code execution. No special privileges are required, but the victim needs to attempt to start TIA Portal after the manipulation.

The vulnerability has a CVSS base score of 7.8. At the time of advisory publication no public exploitation of this security vulnerability was known.

In another vulnerability, an improper file permissions in the default installation of TIA Portal may allow an attacker with local file system access to manipulate resources which may be transferred to devices and executed there by a different user. No special privileges are required, but the victim needs to transfer the manipulated files to a device. Execution is caused on the target device rather than on the PG device.

This has a CVSS base score 8.6. At the time of advisory publication no public exploitation of this security vulnerability was known.

Siemens identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
• Restrict operating system access to authorized personnel
• Validate GSD files for legitimacy and process GSD files only from trusted sources

Siemens recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security.

Click here for additional information on Industrial Security by Siemens.

Thursday, August 9, 2018 @ 05:08 PM gHale

By Gregory Hale
The Triton attack against a safety system and a distributed control system at a gas refinery in Saudi Arabia last August was a planned targeted attack against a specific system, but in analyzing the attack, aspects of the attack could be easier to create.

“You don’t need to have tons of resources to create an attack like this,” said Andrea Carcanco, chief product officer and co-founder of Nozomi Networks during a packed talk entitled, “TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems Forever,” at Black Hat USA 2018 in Las Vegas, NV, Wednesday. “Barriers for advanced ICS hacking have been lowered. Dedicated tools and information on the wire make the life of a hacker much easier. While attacks are more sophisticated, skill levels are not as high.”

RELATED STORIES
Black Hat: Get to Root Cause
Forget Hyperbole: Stay True to Security Message
Political Ploy or Not, Industry Needs to Act
Age of Misdirection: Stay Focused, Safe, Secure

“The effort, skills and financial resources needed to create the Triton malware framework are not that high,” Carcanco said “Considering this, asset owners should act immediately to monitor their SIS and secure them against external attacks.”

In August last year, the Saudi critical infrastructure user suffered a shutdown of its facility and the controllers of a targeted Triconex safety system failed safe. During an initial investigation security professionals noticed there were some suspicious things going on and that is when they found malware. The safety instrumented system (SIS) engineering workstation was compromised and had the Triton (also called Trisis and HatMan) malware deployed on it. The distributed control system (DCS) was also compromised. It is possible to envision an attack where the attacker had the ability to manipulate the DCS while reprogramming the SIS controllers.

OT Environment
In a traditionally IT-centric event like Black Hat some explanation needed to occur to describe industrial control systems and safety instrumented systems.

In defining industrial control systems and safety instrumented systems for the audience, Marina Krotofil, an industrial cybersecurity researcher, talked about the danger in working with these systems.

“Cyber physical systems are inherently hazardous, they are protecting humans, machinery and the environment,” she said. “Safety systems are software-based which means they are potentially hackable.”

Safety systems come with multiple connection possibilities. They can:
• Sometimes connect to process control systems
• Sometimes they can be separate
• Using multi-vendor increases risk

“An attack on a safety system can cause the most damage possible,” Krotofil said.

The attacker obtained remote access to SIS, injected a remote backdoor where it could read arbitrary memory, write into memory and then execute arbitrary code into the TriStation, she said.

Carcanco went on to discuss how it is possible to build an attack like Triton:
• Gather intelligence, where you can collect as much information as possible and gain a documented view of the target
• Build a shopping list by documentation, engineering tool-set, firmware and controller
• Reverse engineer engineering software by collecting information
• Reverse engineer Tristation protocol by being able to talk to and understand the protocol of the target system

In reverse engineering the software, the Nozomi team found two undocumented power users with hard coded credentials. One of the power user’s login enabled a hidden menu, which from an attacker’s perspective, could be useful. However, there was no connection between the Triton malware and this hidden menu, and the malware did not leverage these undocumented users. Second, Carcanco said these undocumented users exist for TriStation 1131 v4.9.0 and earlier versions only, according to Schneider Electric.

Toolset Released
As a result of their research (for which there are more details into Nozomi’s investigation in this white paper), the network monitoring provider released a Triton toolset:
1. Passive detection tool with a dissection of TriStation proprietary protocol and for understanding the communication between engineering workstation and Triconex controller
2. Active detection tool that checks for Triton programs running inside the controller and upload a program table for suspicious payload
3. Honeypot with a replication of the Triconex system configuration, a detection of unknown traffic targeting SIS network

Reverse engineering the attack is important, there is no doubt, but what we did we learn and what are the next steps?

“There needs to be auditing and forensic tools,” Krotofil said. “Asset owners should start a dialog with vendors. They should start sharing concerns with vendors right now.”

Protecting safety systems in the ICS environment is a top concern, that should not be done in with a cavalier attitude.

“If you access the safety system, you are done,” Carcanco said.

Friday, July 20, 2018 @ 01:07 PM gHale

By Alessandro Di Pinto and Younes Dragoni
Triton, also known as Trisis and HatMan, is one of only a few known malware frameworks that resulted in a direct physical impact on critical infrastructure.

In 2017, Triton was used to attack a Saudi Arabian gas facility, directly interacting with, and remotely controlling, its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research on the malware to better understand how its multistage injection techniques work.

RELATED STORIES
Safety, Connectivity and IIoT
PAS: Safety System Attack Preventable
SANS: ‘Unique’ Safety System Attack
ARC: Holistic Plan to Secure Safety

We obtained a Triconex SIS controller and successfully communicated with it, including injecting the Triton malware. Using the network traffic generated, we analyzed the proprietary TriStation protocol used to communicate with Triconex Safety Systems.

Along those lines, we released a Wireshark dissector for the TriStation protocol — called the TriStation Protocol Plug-in for Wireshark. The dissector is available as a free download from GitHub, along with a packet capture (PCAP) of network traffic that includes TriStation communications. These tools are intended to give researchers and ICS organizations access to a clear visual dissection of SIS controller communications, helping them identify compromises and cyber security risks.

Our complete analysis of Triton, along with a live demo of an attack and a second Triton tool will be shown at the upcoming Black Hat USA presentation we are giving jointly with FireEye on August 8 at 11:15 a.m. in Las Vegas, NV.

Triton Reprograms SIS Controller
In December 2017, FireEye reported it had worked with an industrial operator whose facility was attacked by a new type of ICS malware they named Triton. The attack reprogrammed the facility’s SIS, causing it to enter a failed state and resulting in an automatic shutdown of the industrial process.

The shutdown led to the discovery of the malware and is thought to have been the result of a programming problem with the malware’s code. Likely Triton was intended to prevent the SIS from safely shutting down the plant when used with a simultaneous attack on the process itself.

SIS systems are designed to prevent critical process systems from causing safety, health or environmental incidents. They are the last line of automated defense for a plant (mechanical defenses also exist) and are a special kind of PLC with multiple redundant systems.

While no harm occurred in this case, the attack represents a step-up in sophisticated ICS cyberattacks, being the first known one to successfully interact with a SIS.

Wireshark Dissecting
During research on Triton, we expanded our knowledge about the proprietary TriStation protocol used by the Triconex Safety Systems components. Some insight was extracted from the malware itself. Other knowledge came from the live traffic generated in our lab using a Triconex controller model MP 3008 with an NCM 4329/N/G communications module.

A PCAP of this traffic was shared with FireEye, who worked with BSI (the German Federal Office for Information Security), to develop packet rules for detecting Triton.

We conducted our own analysis of the PCAP and realized a tool capable of explaining the communications would be extremely helpful. Usually engineers analyze network traffic by intercepting it with a program called Wireshark. Wireshark is a very flexible tool that visually explains the meaning of each byte contained in captured traffic. It works well for known, well documented protocols but is ineffective when dealing with a proprietary protocol. To overcome this issue, Wireshark allows users to create their own dissector (protocol parser) to describe how to interpret unknown protocols. Some of the languages use to create dissectors are C++ and Lua.

Because TriStation is a proprietary protocol not understood by Wireshark, initially the contents of the packets looked like raw data.

We developed a Lua dissector that instructs Wireshark on how to parse the data contained inside each packet. With the dissector as a guide, Wireshark describes the meaning of each byte inside TriStation packets, making it easier for analysts to understand TriStation data traveling over a control network.

We would like to emphasize the functionality of the dissector is the result of our malware analysis and reflects the attackers’ reverse engineering of the TriStation protocol.

Dissector Includes Triton Detection
Additionally, based on new findings gained during our Triton research, our TriStation Protocol Plug-in for Wireshark detects the uploading of a malicious program related to Triton. While we are aware that Wireshark is not the most convenient tool for performing intrusion detection, our dissector demonstrates it’s possible to identify ICS malware on the network using passive techniques.
Alessandro Di Pinto and Younes Dragoni are members of Nozomi Networks’ research team.

Monday, June 4, 2018 @ 05:06 PM gHale

Nozomi Networks Inc. unveiled new product enhancements, a broadened partner network, and global field expansion initiatives.

New product enhancements in Nozomi Networks’ latest release include high-availability features to meet the needs of large-scale global deployments. Expansion of the company’s global partner network better enables IT/OT integration in customer deployments; and new global expansion to provide CIOs and CISO’s around the world with the security expertise they need to manage and reduce OT risks.

Addressing the rising threat of cyberattacks against critical national infrastructure and industrial networks has quickly become a top priority worldwide. In January, The World Economic Forum identified cyberattacks against industrial systems and critical infrastructure among the highest risks to international stability.

“If a utility network or petrochemical operation is compromised, human safety and financial harm hang in the balance,” said Nozomi Networks co-founder and chief product officer, Andrea Carcano. “Protecting critical infrastructure and industrial operations from real cyber threats is now a C-suite priority and is the mission upon which Nozomi was founded.”

Nozomi Networks’ companywide expansion initiatives include:

1. Enhancements to the latest version of SCADAguardian and its Central Management Console (CMC). With its 4th generation of AI-powered technology, Nozomi Networks offers high availability configurations to support large organizations that need fully redundant implementations or disaster recovery.
Other new capabilities in V18 include:
• Improved IT/OT visibility via advances in vulnerability assessment and network topology filtering views
• Added resiliency for large scale deployments including systems performance improvements and system hardening 
• Additions to hybrid threat detection including more than 100 new threat checks.

2. Focused on rapidly filling a market gap in effective IT/OT cybersecurity integrations, Nozomi Networks added several new partners including, Gravwell and BlackRidge to its global partner network. The company now has nearly 50 strategic technology, SI and VAR partners actively offering Nozomi Networks solutions around the world.

3. Nozomi Networks’ newly named vice president of worldwide sales, Obbe Knoop will lead the company’s field expansion efforts.

Friday, May 18, 2018 @ 02:05 PM gHale

GE released new firmware to mitigate an improper input validation vulnerability in its PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi, according to a report with NCCIC.

Successful exploitation of this remotely exploitable vulnerability, discovered by Younes Dragoni of Nozomi Networks, could cause the device to reboot and change its state, causing the device to become unavailable.

RELATED STORIES
Hole in Medtronic Clinician Programmer
Advantech Clears Multiple WebAccess Holes
MatrikonOPC Patches Hole in Explorer
Rockwell Mitigates Arena Vulnerability

The following versions of PACSystems, an industrial Internet controller suffer from the vulnerability:
• PACSystems RX3i CPE305/310 version 9.20 and prior
• RX3i CPE330 version 9.21 and prior
• RX3i CPE 400 version 9.30 and prior
• PACSystems RSTi-EP CPE 100 all versions
• PACSystems CPU320/CRU320 and RXi all versions

The device does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable.

CVE-2018-8867 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

GE released the following firmware to mitigate the vulnerability (login required):

IC695CPE305 – Upgrade Kit: CPE305_FW9_40_41G1733-MS10-000-A17.zip

IC695CPE310 – Upgrade Kit: CPE310_FW9_40_41G1734-MS10-000-A17.zip

IC695CPE330 – Upgrade Kit: CPE330_FW9_40_41G2016-FW01-000-A11.zip

IC695CPE400 – Upgrade Kit: CPE400_FW9_40_41G2376-FW01-000-A3.zip

For CPE100, click here for the newest firmware.

GE said CPU/CRU320 is end of life, and there is a direct upgrade path available to users.

Tuesday, May 15, 2018 @ 11:05 AM gHale

Managing reputational and OT risk in an era of escalating cyber threats.
Source: Nozomi Networks

By Heather MacKenzie and Mihaela Grad
Over the last ten years there has been a significant shift in the level of concern over industrial cybersecurity risk. Executives at energy, utility and manufacturing businesses didn’t use to lose sleep over potential cyberattacks in the way they might have over major safety or environmental risks. At the plant level, operators believed air gaps and proprietary technology were sufficient defenses against malware, and that attacks on cyber-physical processes were very unlikely.

Fast forward to today, where the industrial sector is digitizing and automating processes at an increasingly rapid rate. While connected systems deliver new value and improve productivity, they also introduce exposure to cyber risk.

RELATED STORIES
Russian Cyberattacks on Critical Infrastructure
17 Zero Days Cleared in OPC UA
Attack Group Targets Healthcare, Manufacturing
How to Start a Security Program

The accelerating concern about cyber threats by world leaders and the C-suite that came from the World Economic Forum in The Global Risks Report 2018, makes it clear:

“[A] growing trend is the use of cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in systems that keep societies functioning.”

Managing Reputation
No organization is immune to crises.

Data breaches often top the list of potential threats. In a Standing Partnership/Edison Research survey of 1,000+ executives, 34 percent reported IT and security issues had created a reputation problem in the past, with more than half anticipating similar problems in the future.

The energy sector is particularly vulnerable. Recent revelations about cyberattacks orchestrated by Russian hackers against U.S. energy companies emphasize how important crisis readiness is. The number of distributed denial-of-service (DDoS) attacks is projected to grow to 3.1. million by 2021, according to Cisco.

Increasingly, companies are judged not by whether they experienced a crisis, but by how they handled it. Successful crisis management is measured by the ability to navigate the situation with a stable stock price and an untarnished reputation.

Risk, Crisis Differences
Crises can end up caused by external or internal factors. A natural disaster is an external threat beyond your control, yet it’s still important to respond with speed and transparency. Organizations typically rebound faster from external crises because it is easier for stakeholders to forgive unintentional harm.

On the other hand, incidents resulting from purposeful misdeeds or negligence that could have been prevented (e.g., poor cybersecurity measures or unethical behavior) are more difficult for stakeholders to “get over,” often leading to reputational damage.

Not every risk causes a crisis, but those you should have known about and taken steps to address are the ones most likely to cause damage. It is recommended to periodically review potential threats and develop plans for preventing them from escalating, or mitigating the impact should they happen.

For example, cyber hacking is a threat that companies have no control over. However, acknowledging the risk allows the organization to evaluate its IT/OT infrastructure and operational policies to identify and close loopholes, and establish procedures for a timely and effective communications response.

Crisis’ Affects
A poorly handled crisis has broad implications. Regardless of what caused it, impact on stock price and brand is almost immediate.

Reported losses from cyberattacks run in the millions – Merck: $780M, Maersk: $300M, FedEx: $300M. If your efforts around crisis preparedness are met with reluctance, bring up Accenture’s $11.7M per organization cost of cyber crime.

Getting Prepared
So, how do you prepare for a crisis? What you say, how you say it and the channels you say it through can either bolster or diminish your customers’ and stakeholders’ trust.

There are crisis preparedness best practices organizations can follow, including:

Align all your crisis response plans — Assemble all existing policies, business continuity, operational and communications plans, plus reports that outline the risks your organization faces. Determine how current they are, and list the gaps.

1. Build or update a cross-functional crisis team — Your crisis response team should include representatives from across the organization – safety, operations, legal, IT/OT, customer service, communications, HR, etc. – depending on your business and industry. If you have a head office and remote operational units, determine who from each location should be on the team. Make sure contact information is up-to-date, and that each member has a back-up.

2. Develop a written plan — It’s best to have a written crisis response plan that contains responses to scenarios most likely to impact your organization. A typical plan includes the response team list and responsibilities, criteria for assessing severity, a decision-making protocol, key messages, list of communications channels, and sample communications such as internal and external announcements, media statements, social posts and press releases. A plan eliminates second-guessing and speeds up response during a crisis. Ideally, it is reviewed and updated every six to twelve months.

3. Train your team — A plan without training isn’t worth much. Gather the cross-functional crisis response team at least once a year to run through the communications plan, and make sure members can execute seamlessly during high stress situations.

To assess and manage OT risk, and protect your corporate brand, preparedness is key.

Advanced technology and proven reputation management strategies make it a whole lot easier.
Mihaela Grad is vice president at Standing Partnership, a reputation management consultancy. Grad leverages her experience in life sciences, agriculture and pharmaceuticals to build and execute plans to manage corporate reputations. Heather MacKenzie is an ICS Cybersecurity Specialist at Nozomi Networks. She has worked in industrial cybersecurity since 2008. She helps OT/IT teams responsible for industrial control networks understand cyber risks.

Tuesday, April 24, 2018 @ 08:04 PM gHale

Nozomi Networks Inc. and SecureLink inked a partnership pact to broaden SecureLink Germany’s delivery of services across Germany, Austria and Switzerland.

“With cyberthreats on the rise, our industrial enterprise customers are turning to SecureLink to address these threats head on,” said SecureLink Germany’s General Manager and Chief Technology Officer, Andreas Mertz. “Nozomi Networks is a leader in the market when it comes to ICS cybersecurity. Their proven track record of success in some of the most complex industrial operations make them a trusted option for our customer and the strongest possible partner for SecureLink.”

SCADAguardian capabilities include real-time ICS monitoring, industrial network visualization, hybrid ICS threat and anomaly detection, asset inventory and vulnerability assessment.

Through this reseller agreement with Nozomi Networks, SecureLink Germany is able to offer its customers a solution for mapping, monitoring and detecting cyber threats to ICS networks.

“SecureLink has a plethora of customers across the German-speaking region of Europe — many with immediate and long-term needs for better protection against advance ICS security threats,” said Chet Namboodri, Nozomi Networks vice president of alliances and business development.  “We’ve already been working with SecureLink Germany on solutions for several key customers. This reseller agreement allows us to have an even bigger impact within the industrial and mission-critical sectors that SecureLink serves.”

Friday, March 30, 2018 @ 12:03 PM gHale

WAGO released new firmware to mitigate an improper resource shutdown or release for its 750 Series, according to a report with ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability, discovered by Younes Dragoni of Nozomi Networks, could allow a denial-of-service condition affecting the ability of the device to establish connections to commissioning and service software tools.

RELATED STORIES
Siemens Updates TIM 1531 IRC Hole
Siemens has Mitigation for SIMATIC
Allen Bradley MicroLogix Vulnerabilities
Philips Plans to Fix Vulnerabilities by Dec.

The following versions of 750 series PLC suffer the issue:
• 750-880 firmware version 10 and prior
• 750-881 firmware version 10 and prior
• 750-852 firmware version 10 and prior
• 750-882 firmware version 10 and prior
• 750-885 firmware version 10 and prior
• 750-831 firmware version 10 and prior
• 750-889 firmware version 10 and prior
• 750-829 firmware version 10 and prior

No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

In the vulnerability, a remote attack may take advantage of an improper implementation of the 3-way handshake during a TCP connection affecting the communications with commission and service tools. Specially crafted packets may also be sent to Port 2455/TCP/IP, used in Codesys management software, which may result in a denial-of-service condition of communications with commissioning and service tools.

CVE-2018-8836 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The product sees action mainly in the commercial facilities, critical manufacturing, energy, and transportation systems sectors. It also sees use on a global basis. The company has offices in the United States, Germany, Switzerland, Poland, China, and India.

WAGO released new firmware addressing this vulnerability that can be obtained by contacting WAGO support via email.

If updating the firmware is not feasible WAGO recommends users disable the WAGO Service Communication via WBM or limit the access to Ports 6626 and 2455/TCP/IP to trusted devices.

For more information click on WAGO’s security advisory.

Tuesday, March 20, 2018 @ 05:03 PM gHale

By Heather MacKenzie and Moreno Carullo
The U.S. government just released an important cybersecurity alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors in the United States.

While there has been a significant rise in cyberattacks in these industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case, the threat actor and their strategic intent has been clearly confirmed, something the U.S. government rarely does publicly.

RELATED STORIES
Feds Alert on Russian Cyber Activity Targeting ICS
Hacking Robots with Ease
ARC: Holistic Plan to Secure Safety
Siemens, Partners Ink Cybersecurity Charter

In addition, the US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IoCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly.

This following is intended to help you gain perspective on this alert, and provide additional guidance on what security measures to take.

Multi-Stage Campaigns
The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing and gained remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

This pattern of behavior is typical of APTs (Advanced Persistent Threats). APTs occur over an extended period, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for them to go unobserved before their final attack.

In this case, the Russian cyberattacks started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers, as pivot points for attacking the final intended targets.

The attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets. Examples include:
• Altering trade publication websites
• Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
• Analyzing publicly available photos that inadvertently contained information about industrial systems

The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.

The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks. This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.

The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to cleanup activity.

Next, tools were downloaded from a remote server, which manipulated Microsoft Window’s shortcut files and registries to gather and store user credentials. They also used the infrastructure of staging targets to connect to intended targets using the stolen credentials and remote access services.

An ICS reconnaissance phase followed, which included tactics like:
• Using batch scripts to enumerate the industrial control network
• Using scheduled tasks and a screenshot utility to capture the screens of systems across the network
• Using text files to hold lists of host information
• Accessing computers on the corporate network to take data output about control and SCADA systems, including ICS vendor names and reference documents
• Gathering profile and configuration information for ICS systems

The threat actors also conducted activity to hide their tracks, such as clearing logs and removing malware applications, registry keys and screen captures.

While long on details about the infection and reconnaissance phases of the Russian cyberattacks, the US-Cert advisory is notably, but not surprisingly, lacking in detail about what equipment was targeted and what disruption was intended.

The goal of the advisory is to provide the intended targets, which are asset owners, with a wide set of clues for determining if your facility is infected. If so, you need to eradicate the infection and report it to authorities.

APTs Detected
The list of detection and prevention measures provided in the Alert (TA18-074A) is extensive. Anyone glancing at the list will realize it will take a lot of manpower and focus to do all the log and file checking, as well as the security improvements recommended.

What Next?
This US-CERT alert is a milestone. It makes it perfectly clear that U.S. infrastructure and critical manufacturing sectors are under Russian cyberattack.

If your organization is in one of the targeted sectors, now is the time to check for and eradicate the malware before a final ICS attack occurs. Even if your operation is in another country or another sector, you likely want to do the same thing.

To help you efficiently deal with the risk level and workload associate with this alert, consider a real-time cybersecurity and operational visibility solution.
Moreno Carullo is founder and chief technology officer at Nozomi Networks. Heather MacKenzie is with Nozomi Networks. This is an excerpt from her blog.

Thursday, March 8, 2018 @ 05:03 PM gHale

Aerospace, defense and security provider Leonardo partnered with network monitoring provider, Nozomi Networks to offer increased network visibility in a move to enhance Leonardo’s Cyber Protection Program for Industrial and Critical National Infrastructures (CNI).

“The cyber threat to critical infrastructure, industrial systems and operational technology networks is at an all-time high, thus generating growing customer demand for better protection,” said Andrea Biraghi, managing director of Leonardo’s Security & Information Systems Division. “We’ve partnered with Nozomi Networks because they provide the strongest possible solution when it comes to detecting anomalies early and proactively, preventing threats within our customers’ environments.”

RELATED STORIES
CyberX Raises Additional Funds
Splunk Deals for Phantom Cyber
Wireless Provider Partners with Security Firm
Bomgar Deal Strengthens PAM Tools

Deep knowledge of the complexities of ICS networks, continuous innovation and expertise in artificial intelligence were the reasons why Leonardo went with Nozomi Networks and its SCADAguardian product, officials said.

Now in its third generation of technology, Nozomi’s technolgoy includes real-time ICS monitoring, industrial network visualization, hybrid ICS threat and anomaly detection, asset inventory and vulnerability assessment.

Focused on the military and CNI fields, Leonardo provides a systemic approach that covers the entire lifecycle of cybersecurity programs including security governance, assessment and design of digital infrastructures, the adoption of specific technologies for SCADA/ICS protection, the design and operation of industrial security operations centers and cyber threat intelligence systems.

Leonardo is pursuing an open innovation approach, in line with the strategic drivers of the Industrial Plan recently presented, collaborating with the best universities and national institutions of the countries in which the Company operates and activating synergies and qualified partnerships with innovative start-up to integrate the best technologies.

“(Leonado has) an intimate understanding of the unique demands these networks face and we look forward to helping them make infrastructure around the world more safe,” Nozomi Networks co-founder and chief product officer Andrea Carcano.