Threat Intelligence

8/8/2018
08:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Release Free TRITON/TRISIS Malware Detection Tools

Team of experts re-creates the TRITON/TRISIS attack to better understand the epic hack of an energy plant that ultimately failed.

BLACK HAT USA – Las Vegas – A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.

Researchers from Nozomi Networks, along with independent ICS expert Marina Krotofil, previously with FireEye, today demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack. TRITON/TRISIS was discovered in 2017 in a Middle Eastern plant after an apparent failure in the attack shut down its Triconex safety systems. No official payload was ever deployed or found, so researchers, to date, have only been able to speculate about the attackers' ultimate plans.

Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system's proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting.

The researchers today added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks.

Andrea Carcano, founder and chief product officer at Nozomi, says he and his team re-created the attack in their lab, and found that writing custom malware like TRITON/Trisis would not be as difficult or as expensive as you'd think. TriStation software sells for about $3, for example, on one e-commerce website in China, and the hardware sells for anywhere from $5,000 to $10,000 on eBay and Alibaba. The TriStation engineering software file names have information on the software architecture and structure, Carcano said.

"Everyone believed this malware was more sophisticated," he says. "But if you have a little knowledge and patience, you can go online and download the manuals, software, and buy a Triconex controller on eBay like we did ... and build the attack in your house."

Schneider Electric, meanwhile, maintains that a TRITON-type attack would require a skilled threat actor. Andy Kling, director of cybersecurity and system architecture for Schneider, notes that even if an attacker had the Triconex equipment on hand, the attacker would still need to understand how it works. "You'd still need to have a certain level of understanding of how not to step on the safety program and how to stealthily inject this malware into the device," he says. "Those skills, we believe, are still pretty high."

Kling says Schneider is still operating under the same working theory that the TRITON malware was "in development" and that the attackers likely hadn't yet completed their malware arsenal for fully deploying the remote access Trojan. "Or perhaps they had another team and they had not gotten to the final payload piece," he said.

Liam O'Murchu, director of security technology and response at Symantec, says there are still plenty of questions surrounding the intention of the attack and whether it was a test-run or a failed attack. "Was it a competitor trying to take over another competitor? That's one suspicion about it," he says. "They were specifically focused on that particular target."

During its forensic investigation of the attack, Schneider wrote its own malware detection tool for TRITON. "We have been running the program to help our customers see if they were infected by it," Kling says. "We've been running it for months, and there have been no 'positive' [detection] results worldwide, and no new indicators of compromise."

Another Hole
While analyzing TRITON, the Nozomi researchers also stumbled on a built-in backdoor maintenance function in the Triconex TriStation 1131 version 4.9 controller.

"We also found two undocumented power users with hard-coded credentials," Nozomi wrote in a blog post today. "One of the power user's login enabled a hidden menu, which from an attacker's perspective, could be useful."

But Carcano says the feature was not part of the TRITON malware attack. That maintenance support feature has basically been phased out of later versions of the TriStation.

"Fifteen years ago, when those products were developed, you would have a support account built into the products. That was the norm," says Schneider Electric's Kling. But later versions of the software, from 4.9.1 and up, included recommendations and the ability to delete the account.

"As then time went on, [we added] a secure version of this product, and this [support] account no longer exists," he says.

Kling says Triconex users should update their software if they're still running the older 4.9 version.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
CVE-2018-19355
PUBLISHED: 2018-11-19
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfi...
CVE-2008-7320
PUBLISHED: 2018-11-18
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
CVE-2018-19358
PUBLISHED: 2018-11-18
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig...
CVE-2018-19351
PUBLISHED: 2018-11-18
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHand...