Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

8/8/2018
08:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Release Free TRITON/TRISIS Malware Detection Tools

Team of experts re-creates the TRITON/TRISIS attack to better understand the epic hack of an energy plant that ultimately failed.

BLACK HAT USA – Las Vegas – A team of ICS experts who spent the past year studying and re-creating the so-called TRITON/TRISIS malware that targeted a Schneider Electric safety instrumented system (SIS) at an oil and gas petrochemical plant has developed open source tools for detecting it.

Researchers from Nozomi Networks, along with independent ICS expert Marina Krotofil, previously with FireEye, today demonstrated how the malware works, as well as a simulation of how it could be used to wage a destructive attack. TRITON/TRISIS was discovered in 2017 in a Middle Eastern plant after an apparent failure in the attack shut down its Triconex safety systems. No official payload was ever deployed or found, so researchers, to date, have only been able to speculate about the attackers' ultimate plans.

Nozomi Networks recently released the TriStation Protocol Plug-in for Wireshark that the researchers wrote to dissect the Triconex system's proprietary TriStation protocol. The free tool can detect TRITON malware communicating in the network, as well as gather intelligence on the communication, translate function codes, and extract PLC programs that it is transmitting.

The researchers today added a second free TRITON defense tool, the Triconex Honeypot Tool, which simulates the controller so that ICS organizations can set up SIS lures (honeypots) to detect TRITON reconnaissance scans and attack attempts on their safety networks.

Andrea Carcano, founder and chief product officer at Nozomi, says he and his team re-created the attack in their lab, and found that writing custom malware like TRITON/Trisis would not be as difficult or as expensive as you'd think. TriStation software sells for about $3, for example, on one e-commerce website in China, and the hardware sells for anywhere from $5,000 to $10,000 on eBay and Alibaba. The TriStation engineering software file names have information on the software architecture and structure, Carcano said.

"Everyone believed this malware was more sophisticated," he says. "But if you have a little knowledge and patience, you can go online and download the manuals, software, and buy a Triconex controller on eBay like we did ... and build the attack in your house."

Schneider Electric, meanwhile, maintains that a TRITON-type attack would require a skilled threat actor. Andy Kling, director of cybersecurity and system architecture for Schneider, notes that even if an attacker had the Triconex equipment on hand, the attacker would still need to understand how it works. "You'd still need to have a certain level of understanding of how not to step on the safety program and how to stealthily inject this malware into the device," he says. "Those skills, we believe, are still pretty high."

Kling says Schneider is still operating under the same working theory that the TRITON malware was "in development" and that the attackers likely hadn't yet completed their malware arsenal for fully deploying the remote access Trojan. "Or perhaps they had another team and they had not gotten to the final payload piece," he said.

Liam O'Murchu, director of security technology and response at Symantec, says there are still plenty of questions surrounding the intention of the attack and whether it was a test-run or a failed attack. "Was it a competitor trying to take over another competitor? That's one suspicion about it," he says. "They were specifically focused on that particular target."

During its forensic investigation of the attack, Schneider wrote its own malware detection tool for TRITON. "We have been running the program to help our customers see if they were infected by it," Kling says. "We've been running it for months, and there have been no 'positive' [detection] results worldwide, and no new indicators of compromise."

Another Hole
While analyzing TRITON, the Nozomi researchers also stumbled on a built-in backdoor maintenance function in the Triconex TriStation 1131 version 4.9 controller.

"We also found two undocumented power users with hard-coded credentials," Nozomi wrote in a blog post today. "One of the power user's login enabled a hidden menu, which from an attacker's perspective, could be useful."

But Carcano says the feature was not part of the TRITON malware attack. That maintenance support feature has basically been phased out of later versions of the TriStation.

"Fifteen years ago, when those products were developed, you would have a support account built into the products. That was the norm," says Schneider Electric's Kling. But later versions of the software, from 4.9.1 and up, included recommendations and the ability to delete the account.

"As then time went on, [we added] a secure version of this product, and this [support] account no longer exists," he says.

Kling says Triconex users should update their software if they're still running the older 4.9 version.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Artist Uses Malware in Installation
Dark Reading Staff 5/17/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12198
PUBLISHED: 2019-05-20
In GoHttp through 2017-07-25, there is a stack-based buffer over-read via a long User-Agent header.
CVE-2019-12185
PUBLISHED: 2019-05-20
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web r...
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.