Havex Varient Brings Attack via OPC

Wednesday, July 23, 2014 @ 12:07 PM gHale


An OPC scanner that could end up leveraged to launch cyber attacks against critical infrastructure areas is in a variant of the Havex malware, researchers said.

While researchers were investigating a variant of Havex called “Fertger” or “Peacepipe,” this scanner ended up uncovered by FireEye investigators.

RELATED STORIES
Malware Analysis from ICS-CERT
Energy Sector Alert: Dragonfly Attack
Update to ICS Malware Alert
Feds: Malware Focusing on ICS
Malware Targets ICS/SCADA

This variant is the first publicized version of this malware reported to actively scan OPC servers used for controlling SCADA (Supervisory Control and Data Acquisition) devices in critical infrastructure, energy and manufacturing sectors, said FireEye Threat Intelligence Analyst Kyle Wilhoit in a blog.

“If an attacker wanted to attack an OPC server, they would need and want details of the OPC servers they were targeting. Having the OPC scan data gives the attacker enough information to start possible next phases of an attack against a SCADA environment,” he said.

Havex is a family of remote-access Trojans used during several attacks on critical infrastructure. It was active for at least the last year and its mission was to pull vast amounts of information from infected machines.

“While Havex itself is a somewhat simple PHP Remote Access Trojan (RAT) that has been analyzed by other sources, none of these have covered the scanning functionality that could impact SCADA devices and other industrial control systems (ICS),” Wilhoit said. “Specifically, this Havex variant targets servers involved in OPC (Object linking and embedding for Process Control) communication, a client/server technology widely used in process control systems (for example, to control water pumps, turbines, tanks, etc.).”

“Since ICS networks typically don’t have a high-level of visibility into the environment, there are several ways to help minimize some of the risks associated with a threat like Havex. First, ICS environments need to have the ability to perform full packet capture ability. This gives incident responders and engineers better visibility should an incident occur.

“Also, having mature incident processes for your ICS environment is important. Being able to have security engineers that also understand ICS environments during an incident is paramount. Finally, having trained professionals consistently perform security checks on ICS environments is helpful. This ensures standard sets of security protocols and best practices are followed within a highly secure environment,” he said.

Havex is just one threat facing critical infrastructure organizations. ICS-CERT urged critical infrastructure companies to check their networks for signs of intrusion following the discovery of a fresh Dragonfly hack campaign earlier in July.

Click here for more information from Wilhoit’s blog.



Leave a Reply

You must be logged in to post a comment.