Update to ICS Malware Alert

Monday, June 30, 2014 @ 05:06 PM gHale

ICS-CERT is analyzing malware and artifacts associated with an ICS focused malware campaign that uses multiple vectors for infection.

These vectors include phishing emails, redirects to compromised web sites and most recently, Trojanized update installers on at least three industrial control systems (ICS) vendor web sites, in watering hole-style attacks.

Feds: Malware Focusing on ICS
Malware Targets ICS/SCADA
Highway Sign Fix: Change Default Password
OpenSSL Security Advisory Released

Based on information ICS-CERT garnered from Symantec and F-Secure, the software installers for these vendors suffer from an infection from malware called the Havex Trojan. These techniques could have allowed attackers to access the networks of systems that have installed the Trojanized software, researchers said. The identities of the industrial control system vendors remained secure along with additional indicators of compromise to critical infrastructure owners and operators.

Havex is a Remote Access Trojan (RAT) that communicates with a Command and Control (C&C) server. The C&C server can deploy payloads that provide additional functionality. F-Secure and ICS-CERT identified and analyzed one payload that enumerates all connected network resources such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the classic OPC standard to gather information about connected control system resources within the network. The known components of the identified Havex payload do not appear to target devices using the newer OPC Unified Architecture (UA) standard.

In particular, the payload gathers server information that includes Class Identification (CLSID), server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. In addition to more generic OPC server information, the Havex payload also has the capability of enumerating OPC tags. Specifically the server ends up queried for tag name, type, access, and id. ICS-CERT is currently analyzing this payload; at this time ICS-CERT has not found any additional functionality to control or make changes to the connected hardware.

ICS-CERT testing determined the Havex payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.

ICS-CERT is also evaluating possible linkages between this activity and previous watering hole compromises and malware campaigns. ICS-CERT will actively provide additional information including indicators of compromise as analysis progresses.

OPC provides an open standard specification that is widely used in process control, manufacturing automation, and other applications. The technology facilitates open connectivity and vendor equipment interoperability. The original version of the OPC specification, referred to as OPC classic, uses Microsoft’s COM/DCOM (Distributed Component Object Model) technology. In 2006, the OPC Foundation released a new standard, referred to as OPC Unified Architecture (UA), which does not use COM/DCOM. The known components of the identified Havex payload do not appear to target devices using the newer OPC UA standard.

Click here for more information including indicators of compromise.

The Symantec and F-Secure reports include technical indicators of compromise a user can review for detection and network defense.

OPC specific recommendations include:
• Enforce strict access control lists and authentication protocols for network level access to OPC clients and servers.
• Consider using OPC tunneling technologies to avoid exposure of any legacy DCOM based OPC services.
• When using OPC .NET based communications, ensure that the HTTP server enforces proper authentication and encryption of the OPC communications for both clients and servers.
• Leverage the OPC Security specification when possible.

Additional mitigations to consider include:
• Always keep your patch levels up to date, especially on computers that host public services accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Maintain up-to-date antivirus signatures and engines, and apply them based on industrial control system vendor recommendations.
• Build host systems, especially critical systems such as servers, with only essential applications and components required to perform the intended function. Where possible remove or disable any unused applications or functions to limit the attack surface of the host.
• Implement network segmentation through V-LANs to limit the spread of malware.
• Exercise caution when using removable media (USB thumb drives, external drives, CDs).
• Consider the deployment of Software Restriction Policy set to only allow the execution of approved software (application whitelisting)
• Whitelist legitimate executable directories to prevent the execution of potentially malicious binaries.
• Consider the use of two-factor authentication methods for accessing privileged root level accounts or systems.
• When using remote access, consider deploying two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access. Be prepared to operate without remote access during an incident if required.
• Implement a secure socket layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity.
• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
• Place control system networks behind firewalls and isolate or air gap them from the business network.
• Provide robust logging such as network, host, proxy, DNS and IDS logs.
• Leverage the static nature of control systems to look for anomalies.
• Use configuration management to detect changes on field devices. Produce an MD5 checksum of clean code to verify any changes.
• Prepare for an incident with a dedicated incident response team and an incident response plan. Test both your plan and your team.
• If an incident occurs, leave the computer on if possible. Do not run antivirus as it modifies the time stamp on all files that it accesses.
• ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

Leave a Reply

You must be logged in to post a comment.