A new malware framework capable of disrupting multiple different types of IT and OT devices has been observed by US authorities, placing potentially vulnerable businesses on high alert

by: Connor Jones – ITPro

US authorities have issued a warning to critical infrastructure businesses after they observed state-sponsored cyber attackers wielding custom tools to fully compromise systems.

Advanced persistent threat (APT) groups, which are typically comprised of state-sponsored hackers, have already proven their ability to gain full access to multiple types of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, the cyber security advisory (CSA) read.

Co-issued by the Department of Energy, Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), the CSA instructed all potentially vulnerable organisations to implement measures to ensure the security of their systems.

Businesses are advised to enforce multi-factor authentication (MFA) for all remote access to ICS networks and devices where possible. They’re also instructed to change passwords on all ICS and SCADA devices on a regular basis, avoiding default passwords, and use an operational technology (OT) security monitoring product.

Authorities said the tools allow attackers to launch “highly automated” exploits against targeted devices and can be used by lower-skilled hackers to execute processes typically reserved for higher-skilled actors.

Successful attacks using the tools could lead to denial of service in affected devices, crashing of a device’s programmable logic controller (PLC), credential capturing, file manipulation, packet capturing, and sending custom commands in some cases.

The new toolkit is used in conjunction with a known vulnerability in an ASRock motherboard driver that allows hackers to execute code in the Windows kernel, allowing them to move laterally within IT or OT systems.

Cyber security companies Dragos and Mandiant released reports into the tools described by US authorities, with the latter working closely with Schneider Electric, the manufacturer of one of the affected OT devices.

Codenamed ‘Incontroller’ by Mandiant and ‘Pipedream’ by Dragos, these tools contain a number of connected capabilities that allow hackers to scan for devices and in some cases modify and disrupt them.

Mandiant said the hacking tools bear a strong resemblance to Triton, a malware previously used to target similar critical infrastructure environments and the one FireEye accused Russia of using against a Saudi petrochemical plant in 2018.

Dragos said the tools mark the seventh known ICS-specific malware framework in existence, with other notable cases involving a power outage in Ukraine back in 2016 and Stuxnet in 2010.

“This is a rare case of analysing malicious capabilities before employment against victim infrastructure giving defenders a unique opportunity to prepare in advance,” said Dragos. “Dragos assesses with high confidence that this capability was developed by a state-sponsored adversary with the intention to leverage Pipedream in future operations.”

The cyber security company didn’t attribute the new tools to any specific nation but did tie the development to a group it tracks as ‘Chernovite’.

Our IT Experts have already helped hundreds of SMEs with their security. Is it time we support your business too? Call us for a FREE AUDIT on 03454509393.