SCADA Alert: Sandworm Targets Systems

Tuesday, October 21, 2014 @ 03:10 PM gHale

SCADA systems need to be on alert as Sandworm is now targeting them, researchers said.

After noting CVE-2014-4114 was seeing action in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors, Trend Micro researchers Kyle Wilhoit and Jim Gogolinski discovered new attacks using the vulnerability.

Espionage Group Targets NATO, EU
Bash Attack on NAS Systems
Breaking Down an Insider Attack
Belden: Protect Against Yourself

“Our researchers have just found active attacks against organizations using supervisory control and data acquisition (SCADA) system software as an apparent first step in APT-style targeted attacks,” said the Trend Micro advisory.

SCADA-based systems monitor and control industrial processes that exist in the physical world. SCADA-based systems usually end up deployed in large-scale processes that can include multiple sites, and large distances, covering industrial, infrastructure, and facility-based processes, such as nuclear power plants.

This development comes on the heels of the Sandworm spy group unveiled by security firm iSIGHT Partners.

iSIGHT discovered spear-phishing attacks relied on the exploitation of a Zero Day vulnerability impacting all supported versions of Microsoft Windows (XP is not impacted) and Windows Server 2008 and 2012.”

The vulnerability, dubbed SandWorm (CVE-2014-4114) because of references to Frank Herbert’s Dune contained in the exploit code, is in the OLE package manager in Microsoft Windows and Server and, in this particular case, malicious Microsoft PowerPoint files would make the OLE packager download additional malicious files that allowed the attackers to execute commands on the targeted systems.

Trend Micro said it spotted the Zero Day vulnerability of the same name used to target SCADA-based systems.

The Sandworm exploit has seen use since at least 2009, but early last month, the Sandworm hacker group started using the Zero Day bug that affects all supported versions of Microsoft Windows. It then reportedly took Microsoft six weeks to develop a patch for the problem.

Trend Micro said it saw the Sandworm exploit used to target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear-phishing email.

The email has a malicious attachment opened by the CIMPLICITY application and attempts to exploit the sandworm vulnerability in Microsoft Windows, Trend Micro said.

“If the attack against the Microsoft Windows system running CIMPLICITY is successful it attempts to download the Black Energy malware onto the system,” said Trend Micro, adding Black Energy is a malware family associated with targeted attacks that gives complete and remote control over a compromised system.

Leave a Reply

You must be logged in to post a comment.