Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/8/2015
03:16 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Banking Trojans Disguised As ICS/SCADA Software Infecting Plants

Researcher spots spike in traditional financial malware hitting ICS/SCADA networks -- posing as popular GE, Siemens, and Advantech HMI products.

A renowned ICS/SCADA security researcher has discovered a surprising twist in cyberattacks hitting plant floor networks: traditional banking Trojan malware posing as legitimate ICS software updates and files rather than the dreaded nation-state custom malware in the wake of Stuxnet.

Kyle Wilhoit, senior threat researcher with Trend Micro, recently found 13 different types of crimeware versions disguised as human machine interface (HMI) products Siemens Simatic WinCC, GE Cimplicity, and Advantech device drivers and other files. The attacks appear to be coming from traditional cybercriminals rather than nation-state attackers, and are not using cyber espionage-type malware.

"It's an interesting trend -- traditional banking Trojans, not targeted attacks," Wilhoit says.

The ICS/SCADA community has been understandably on alert for the next Stuxnet-type attack, and recent discoveries of malware such as Havex and BlackEnergy, both of which have been detected targeting that environment, have put these types of nation-state, targeted attacks in focus.

But Wilhoit says his findings show that traditional cybercriminals are looking for targets in the ICS/SCADA world, and likely for money-making rather than spying or sabotage purposes. "So to succeed in attacking SCADA, you don't have to necessarily be targeted in nature... The ultimate end goal here is probably not industrialized espionage, but to get banking credentials" or other financially lucrative information, he says.

Bottom line: Many ICS/SCADA systems are soft targets. "We are starting to see a migration of attackers starting to realize SCADA is a good attack vector... because it's so insecure," he says. Many HMI machines are Windows-based and either don't run anti-malware software, or aren't updated with the latest signatures. "A lot we are finding are caught no problem with [up-to-date] antivirus," he says.

Wilhoit says targeted attacks on critical infrastructure via Havex and BlackEnergy indeed remain a threat, but the crimeware-based attacks he's seeing ultimately could be catastrophic as well. "It's just as scary. If an operator's HMI is infected... The damage can be the same even if it's not an advanced attack," he says.

HMI systems are highly sensitive to disruption, he says, so a malware infection via a financial Trojan could bring down the system as well. "HMI systems are very finicky, so it doesn't take much to make these things fall over. Financial information could be stolen, but what if an [HMI] box drops inadvertently?" he says.

Wilhoit says he first noticed a spike in these attacks in October, and he's not sure what prompted the jump in activity. The attacks originate as spear-phishing campaigns and drive-by downloads: When the victim visits the malicious link, the fake HMI product uploader -- which is the Trojan -- infects his machine. In some cases, the victim is redirected to a website that appears to be that of Siemens to dupe the user into downloading a WinCC update, for example.

Wilhoit says he recently found 32 malware samples posing as WinCC software. "They have been using the WinCC naming convention and file structure, as malware," he says.

"The shift… is they [attackers] are utilizing valid applications, valid SCADA naming conventions, so the banking Trojan looks like SCADA software," he says. "They're not exploiting vulnerabilities in those products," but using their naming conventions and file names as cover, he says. He says he has alerted the HMI vendors whose products are being used as lures in the attacks.

[ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations. Read Using Free Tools To Detect Attacks On ICS/SCADA Networks.]

At the S4 ICS/SCADA conference in Miami next week, Wilhoit plans to update his latest findings on the attacks, as well as demonstrate live the lifecycle of these SCADA malware attacks, from how they grab system information, scan systems, grab passwords, and exfiltrate data.

"I'm going to create malware targeting an ICS system and hiding its traffic on a valid ICS Modbus" network, he says. "I'm doing it to show how fast you can craft malware that's not terribly advanced but will bypass AV or" other security measures, he says.

Application whitelisting, keeping AV updated, and network security monitoring, are ways to defend against these attacks, he says. "Everyone is concerned about a targeted attack... me, too," he says. "But these run-of-the-mill types of malware can cause damage. They are almost a bigger threat than a targeted attack."

Meanwhile, Wilhoit says he's still trying to discern more details about the banking Trojan ICS SCADA attackers, as well as which industries are getting hit most. He says the attacks are a weakeup call that it doesn't take a nation-state to disrupt a power plant or other plant-floor operation. "It's not hard to do and you don't have to be a virus-writer to do this," he says. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
1/9/2015 | 11:58:44 AM
Re: "Soft Targets"
The HMI systems (the human-machine interface) in an industrial network being targeted are senstiive to disruption, so Wilhoit says a malware infection w/crimeware could end up taking down the HMI system.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
1/9/2015 | 11:53:05 AM
Re: "Soft Targets"
@Kelly  Crimeware can take down an ICS system inadvertantly? Is that just a matter of ICS systems being especially vulnerable, or what?
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
1/9/2015 | 11:40:37 AM
Re: "Soft Targets"
It's interesting, because this space generally gets generic malware infections more than targeted ones, for sure, but this one disguises crimeware as "legit" ICS/SCADA software updates. What I thought was most telling was that Wilhoit points out that even a crimeware infection can take down an ICS system, inadvertently (or not). So it's bad, just like a targeted attack is.
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
1/9/2015 | 11:32:38 AM
"Soft Targets"
Great story, Kelly! This is fascinating. Usual financially-motivated attackers going specifically after an industry that doesn't usually worry about those kind of attackers. And using specially-crafted malware for the task, instead of more difficult targeted attacks. It's pretty brilliant, actually. Terrible, of course, but clever.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.