Vulnerabilities / Threats // Advanced Threats
6/26/2014
01:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

As Stuxnet Anniversary Approaches, New SCADA Attack Is Discovered

F-Secure has unearthed a new attack against industrial control systems that goes after European targets, using rare infection vectors.

Nearly four years since Stuxnet broke onto the scene, F-Secure has discovered another series of attacks against industrial control systems -- this time aiming at mostly European organizations. The attackers' ultimate motives are unclear. Researchers suspect they are simply gathering intelligence in preparation for a more serious attack.

The attackers are infecting SCADA and ICS systems with the HAVEX remote access tool (mostly used for information gathering), using a unique infection vector. In addition to the usual phishing messages and exploit kits, the attackers compromised the websites of three industrial application vendors and swapped their legitimate installers with ones that would also install HAVEX when downloaded and run. This "watering-hole" attack -- compromising intermediaries to gain access to the real targets -- is uncommon.

Once HAVEX is installed, it calls back to its command-and-control servers -- which are mostly unrelated third-party websites and blogs that the attackers have compromised -- and receives instructions to download and execute further components.

According to F-Secure, "one of these components appeared very interesting. While analyzing this component, we noticed that it enumerates the local area network and looks for connected resources and servers."

They found that the malware was going after OPC, an open programming interface (still used mostly by Windows applications) that enables disparate industrial components to communicate with one another.

As F-Secure explains:

It's a standard way for Windows applications to interact with process control hardware. Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.

The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today.

Dale Peterson, founder and CEO of Digital Bond, provided more insight:

What [HAPEX] is doing to OPC servers is still unclear. If this is an early phase of an attack it could simply be running OpcEnum to gather information about what OPC servers are on the network. Most do not deploy the available security controls in OPC because it is difficult... and it breaks necessary comms if not done right. Also, the lack of good coding practices leaves many OPC servers with vulnerabilities, some disclosed and many just waiting to be found or used.

The organizations that have been infected with HAVEX are mostly European: two French universities known for tech research, one French producer of industrial machine products, two German producers of industrial application and machine products, a Russian construction company, and one California company (about which no information has been provided). The "watering holes" are also European, located in Germany, Switzerland, and Belgium.

If the targets had been American, Chinese, or Middle-Eastern, people might more immediately jump to the conclusion that the attacks were politically motivated and carried out by nation-state actors. Being that they're mostly in Western Europe may instead point at organized crime, probably motivated by financial gains.

"This does look like professional-class malware," says Andrew Ginter, vice president of industrial security at Waterfall Security, "which rules out some suspects. It rules out hacktivists, because they are not well funded enough. That leaves organized crime and nation-states."

Ginter says that he is not surprised that this attack is possible and that it manipulates weaknesses in the supply chain of industrial security systems, because experts (himself included) have been warning of such things for years.

"It's nothing like Stuxnet," he says, explaining that this is a more generalized threat as opposed to one laser-focused on one target, "but it's confirmation that all those things people have been telling you is true. It's disturbing."

Ginter says the potential for soft spots in the supply chain has been and will continue to be a problem, especially in safety systems, which have sometimes been counterfeited for profit.

"Control systems will always have a softer interior than IT systems," but that's for legitimate reasons. It's not just because of the possibility of outages, but rather that of explosions or other physical disasters. "It's because every change to the safety system is a threat to your life."

However, he points out that, although the supply chain is being used as the infection vector, there are other stages of attacks that can be dealt with -- the website or the communications between infected machines and C&C servers, for example.

Digital Bond's Peterson takes it a step further:

F-Secure’s discovery of this ICS malware leads to a question... shouldn’t DHS / INL / ICS-CERT be scouring malware data and samples to identify ICS malware?

Developing a process and tools to identify potential ICS malware in large samples seems like an ideal project for DHS / INL / ICS-CERT. Then give it, don’t try to sell it a la Sophia, to those with large samples with some agreement to share the results. The ICS world would get some great threat data from the often touted, but rarely of value, public/private partnership. Big win.

ICS-CERT has issued an alert here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/27/2014 | 11:10:40 PM
Re: Stuxnet is another thing
I agree that the level of complexity is very different. Regardless, I think it underscores the importance of limiting the attack surface and locking those systems down as much as possible. No question that these attacks are going to continue to go up.

BP
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/27/2014 | 3:23:24 AM
Stuxnet is another thing
Hi guys I'm reading on the internet that some colleagues are comparing this attack to the Stuxnet case. Be aware the only factor in common is that both targeted an ISC/SCADA system, but the level of complexity behind the operation is totally different.

Stuxnet is considerable a cyber weapon exploited by governments to hit Iranian critical infrastructure, its development as requested a huge effort in terms of money, resources and skills. I don't want to go deep into the details of Stuxnet architecture, but the malware used in the recent attacks is considerable a game if compared to Stuxnet. The dangerous aspect of the story is that the number of cyber attacks against critical infrastructures is increasing and it is even easier to find open on the internet all the necessary to hit vital component in critical processes.

I afraid that we will see an explosion of similar attacks in the next months, in the majority of the cases they will go undetected and this is a real problem.

Give a look to a recent presentation I made with the popular hacker Raoul Chiesa at Security Summit in Rome

http://securityaffairs.co/wordpress/25984/security/xp-critical-infrastructure.html

http://securityaffairs.co/wordpress/26092/cyber-crime/cyber-espionage-havex.html
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/26/2014 | 10:07:10 PM
Admin Accounts
Again, it's these "watering hole" events, that make it crucial to have a standard account and an admin account with no internet capabilities. I know this isn't the main goal for this specific information gathering, however, if they wanted to they could use the spoofed app to pull credentials and gain industry information, change configurations, and potentially do major future damage. 

Just something to point out to help mitigate the risk of attacks that involve the watering hole event and potentientially stunt major detrimental damage.
David Wagner
50%
50%
David Wagner,
User Rank: Apprentice
6/26/2014 | 5:35:20 PM
Ominous
Wow, this isn't frightening at all. Just gathering intelligence for a future attack? Too-well-funded for anything but organized crime or a government?

Lovely.

So are Americans lucky here, or are we the next target?

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.