Financial Attacks Hitting ICS

Tuesday, January 13, 2015 @ 09:01 AM gHale

Financial malware is hitting ICS/SCADA networks looking like GE, Siemens, and Advantech HMI products.

These cyber attacks are attacking plant floor networks using banking Trojan malware posing as legitimate ICS software updates and files.

ICS Havex Reaches 64-Bit
New Malware Targets Linux Systems
Details Emerge on Espionage Campaign
Dragonfly: Offense in Depth

Kyle Wilhoit, senior threat researcher with Trend Micro, recently found 13 different types of crimeware versions disguised as human machine interface (HMI) products Siemens Simatic WinCC, GE Cimplicity, and Advantech device drivers and other files. The attacks appear to be coming from traditional cybercriminals rather than nation-state attackers, and are not using cyber espionage-type malware.

ICS/SCADA environment is aware of the potential for attacks from nation states, but now users must remain ultra vigilant because of the advanced sophistication of banking malware able to come in and actually steal.

ICS/SCADA systems remain low hanging fruit for bad guys. HMI machines remain Windows-based and either don’t run anti-malware software, or aren’t updated with the latest signatures.

Targeted attacks on critical infrastructure via Havex and BlackEnergy remain a threat, but the potential for crimeware-based attacks could end up being a big problem also.

HMI systems are highly sensitive, so a malware infection via a financial Trojan could bring down the system as well.

Wilhoit said in a published report he noticed a spike in attacks in October. The attacks originate as spear-phishing campaigns and drive-by downloads: When the victim visits the malicious link, the fake HMI product uploader, which is the Trojan, infects a computer.

Application whitelisting, keeping AV updated, and network security monitoring, are ways to defend against these attacks.

Leave a Reply

You must be logged in to post a comment.