The US government is sounding the alarm after discovering new custom tools capable of full system compromise and disruption of ICS/SCADA devices and servers. Investigators reported that a custom-made, modular ICS attack framework can be used to disrupt and/or destruct devices in industrial environments.
A joint advisory from the Department of Energy, CISA, NSA, and the FBI warned that unidentified APT actors have created specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from the open-source OPC Foundation. “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the agencies warned. “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” according to the joint advisory.
The government warning comes after a series of wiper malware attacks linked to Russia’s invasion of Ukraine and a software supply chain compromise that effectively crippled Viasat’s satellite internet service. Analysts issued a separate notice documenting that this is the seventh known industrial control system (ICS)-specific malware. “[This] is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment.”
Investigators have named the malware "PIPEDREAM.” The combined components in the custom tool could allow attackers to enumerate an industrial environment, infiltrate engineering workstations, exploit process controllers, cross security and process zones, fundamentally disable controllers, and manipulate executed logic and programming. All of these capabilities can lead to a loss of safety, availability, and control of an industrial environment, dramatically increasing time-to-recovery, while potentially placing lives, livelihoods, and communities at risk. The U.S. government agencies have warned that the tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device.
Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities. The APT actors can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters. The government has also spotted signs that the tool is being used to exploit a known-vulnerable ASRock-signed motherboard driver, PI, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel. “Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions,” the agencies said.
The government advisory said the custom malware has been seen targeting the following products:
- Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;
- OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and
- OPC Unified Architecture (OPC UA) servers.
Security response teams are being pushed to enforce multi-factor authentication for all remote access to ICS networks and devices and use a continuous OT monitoring solution to log and alert on malicious indicators and behaviors. The government agencies are also recommending the isolation of ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments