Endpoint

5/28/2015
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Data Theft The Goal Of BlackEnergy Attacks On Industrial Control Systems, Researchers Say

CyberX analysis of BlackEnergy module reveals most likely motive behind sophisticated multi-year attack campaign.

Data theft appears to be the primary motivation behind a sophisticated malware campaign directed at U.S. industrial control systems (ICS) networks since at least 2011.

That’s the conclusion of security vendor CyberX based on its analysis over the past several months, of the malware toolset used in the campaign. In a report released this week, CyberX said it has found clues suggesting that the attackers behind the campaign may be infecting machines that are used to interface and communicate with industrial control systems in order to steal data from deep inside ICS networks.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) first sounded the alarm on the threat last October and followed up with an update in December 2014. Both alerts identified the malware being used in the campaign as variants of BlackEnergy, a crimeware tool that has been around for several years and used in various previous criminal campaigns.

The ICS-CERT alerts warned of numerous industrial control systems networks being compromised in the campaign with multiple victims saying they had identified the malware on Internet-connected human-machine interface (HMI) systems from companies like GE Cimplicity, Siemens WinCC, and Advantech/Broadwin WebAccess.

The alerts noted that the threat actors behind the campaign appear to be initially attempting to gain access to Internet-connected HMI systems by taking advantage of previously known vulnerabilities in such systems. In the case of Windows machines running GE Cimplicity web server for instance, the attackers exploited a directory traversal flaw in the WebView component of the software to install BlackEnergy on vulnerable systems. ICS-CERT said its analysis showed that automated tools were used to search for and compromise vulnerable systems.

At the time it released the alerts, ICS-CERT said it had not been able to discern any obvious motivation for the campaign or any attempts to damage, disrupt or modify infected ICS systems and networks. ICS-CERT said it had not been able to identify either if the threat actors behind the campaign had managed to expand their access beyond the HMI systems and into the underlying control systems network.

According to CyberX, its analysis of several BlackEnergy samples strongly indicates that data theft is the primary motive.

“After studying a series of samples we managed to focus on BlackEnergy 3 (the third generation of the BlackEnergy family of malwares), which incorporates a mechanism that seems to be designed for this purpose,” the CyberX report said.

While reverse-engineering the malware, CyberX discovered two Remote Procedure Call (RPC) functions that appear designed to receive files and other data from remote machines.

The module that CyberX discovered seems to allow for data to be siphoned out from ICS systems and networks with no Internet connectivity to Internet connected HMI systems via the firewall using RPC communication over the Server Message Block (SMB) protocol.

“Our research has led us to the conclusion that there may be other undiscovered plugins, which would be responsible for the reconnaissance and data exfiltration from the deeper parts of the organizational network,” CyberX warned in its report.

The report focuses attention on what a growing number of security experts say is the continuing misconception that isolating an ICS network from the Internet is sufficient protection against all threats.

In a report released last year, security vendor Kaspersky Labs had noted how industrial networks could be disrupted not just by a production unit failure or operator error, but also by software errors resulting from accidental or deliberate infection of workstations connected to such networks.

While Stuxnet remains the best known example of malware designed to exploit ICS networks, there are many other industrial control systems infected with ordinary malware that pose a threat as well, Kaspersky said.

“In industrial networks, regular malware can cause far greater damage than when it infects office or home computers,” the report had noted. “ For instance, it may block the operation of critical applications, thus leading to hardware failure. The potential consequences may go far beyond even the plans of many malware writers.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.