Threat actors have developed custom modules to compromise various ICS devices as well as Windows workstations that pose an imminent threat, particularly to energy providers.
Threat actors have built and are ready to deploy tools that can take over a number of widely used industrial control system (ICS) devices, which spells trouble for critical infrastructure providers—particularly those in the energy sector, federal agencies have warned.
In a joint advisory, the Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI caution that “certain advanced persistent threat (APT) actors” have already demonstrated the capability “to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices,” according to the alert.
The custom-made tools developed by the APTs allow them–once they’ve gained access to the operational technology (OT) network–to scan for, compromise and control affected devices, according to the agencies. This can lead to a number of nefarious actions, including the elevation of privileges, lateral movement within an OT environment, and the disruption of critical devices or functions, they said.
Devices at risk are: Schneider Electric MODICON and MODICON Nano programmable logic controllers (PLCs), including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078; OMRON Sysmac NEX PLCs; and Open Platform Communications Unified Architecture (OPC UA) servers, the agencies said.
The APTs also can compromise Windows-based engineering workstations that are present in IT or OT environments using an exploit for a known vulnerability in an ASRock motherboard driver, they said.
Warning Should Be Heeded
Though federal agencies often put out advisories on cyber threats, one security professional urged critical infrastructure providers not to take this particular warning lightly.
“Make no mistake, this is an important alert from CISA,” observed Tim Erlin, vice president of strategy at Tripwire, in an email to Threatpost. “Industrial organizations should pay attention to this threat.”
He noted that while the alert itself is focusing on tools for gaining access to specific ICS devices, the bigger picture is that the entire industrial control environment is at risk once a threat actor gains a foothold.
“Attackers need an initial point of compromise to gain access to the industrial control systems involved, and organizations should build their defenses accordingly,” Erlin advised.
The agencies provided a breakdown of the modular tools developed by APTs that allow them to conduct “highly automated exploits against targeted devices,” they said.
They described the tools as having a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device. Modules interact with targeted devices, giving even lower-skilled threat actors the ability to emulate higher-skilled capabilities, the agencies warned.
Actions the APTs can take using the modules include: scanning for targeted devices, conducting reconnaissance on device details, uploading malicious configuration/code to the targeted device, backing up or restoring device contents, and modifying device parameters.
In addition, the APT actors can use a tool that installs and exploits a vulnerability in the ASRock motherboard driver AsrDrv103.sys tracked as CVE-2020-15368. The flaw allows for the execution of malicious code in the Windows kernel, facilitating lateral movement an IT or OT environment as well as the disruption of critical devices or functions.
Targeting Specific Devices
Actors also have a specific modules to attack the other ICS devices. The module for Schneider Electric interacts with the devices via normal management protocols and Modbus (TCP 502).
This module may allow actors to perform various malicious actions, including running a rapid scan to identify all Schneider PLCs on the local network; brute-forcing PLC passwords; coonducting a denial-of-service (DoS) attack to block the PLC from receiving network communications; or conducting a “packet of death” attack to crash the PLC, among others, according to the advisory.
Other modules in the APT tool target OMRON devices and can scan for them on the network as well as perform other compromising functions, the agencies said.
Additionally, the OMRON modules can upload an agent that allows a threat actor to connect and initiate commands—such as file manipulation, packet captures and code execution—via HTTP and/or Hypertext Transfer Protocol Secure (HTTPS), according to the alert.
Finally, a module that allows for compromise of OPC UA devices includes basic functionality to identify OPC UA servers and to connect to an OPC UA server using default or previously compromised credentials, the agencies warned.
The agencies offered an extensive list of mitigations for critical infrastructure providers to avoid the compromise of their systems by the APT tools.
“This isn’t as simple as applying a patch,” Tripwire’s Erwin noted. Of the list, he cited isolating affected systems; employing endpoint detection, configuration and integrity monitoring; and log analysis as key actions organizations should take immediately to protect their systems.
The feds also recommended that critical-infrastructure providers have a cyber incident response plan that all stakeholders in IT, cybersecurity and operations know and can implement quickly if necessary, as well as maintain valid offline backups for faster recovery upon a disruptive attack, among other mitigations.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.