Industrial Control System (ICS) Focused Malware: Information from ICS-Cert (ICS-ALERT-14-176-02A)
ICS-CERT has released detailed information (ICS-ALERT-14-176-02A) regarding the Industrial Control System Malware Campaign that has been detected on several fronts, what it is, how it is spread, how to protect your systems if they are vulnerable. The following discussion based on the alert, condenses the information to allow you to understand if the information is applicable to you. At the time that this article is being published, InduSoft is not aware that any system using its products being infected or affected by this malware, however here are some FAQs that will help customers understand the issues. The answers are based on US-Cert information and information from InduSoft Development/Engineering:
What are the attacks and malware?
US-CERT: ICS-CERT is analyzing malware [called Havex] and artifacts associated with an ICS focused malware campaign that uses multiple vectors for infection. These include phishing emails, redirects to compromised web sites and most recently, trojanized update installers on at least 3 industrial control systems (ICS) vendor web sites, in what are referred to as watering hole-style attacks. Based on information ICS-CERT has obtained from Symantec and F-Secure, the software installers for these vendors were infected with malware known as the Havex Trojan. According to analysis, these techniques could have allowed attackers to access the networks of systems that have installed the trojanized software.
InduSoft: The malware spreads through phishing emails, compromised websites, and by compromising the files of (three known per ICS-Cert) installer routines for Industrial Control System software. The latter involves actually uploading an infected version of the manufacturer’s software back to their website, so when customers download it, the installer routine (which is not part of the actual control system software) installs an extra .dll called, “mbcheck.dll”, which is the malware itself. InduSoft routinely checks the software that we have available for download on our website to see if the installer routines may have been altered from the date that the software is packaged and zipped by our developers.
What is Havex?
US-CERT: Havex is a Remote Access Trojan (RAT) that communicates with a Command and Control (C&C) server. The C&C server can deploy payloads that provide additional functionality. F-Secure and ICS-CERT identified and analyzed one payload that enumerates all connected network resources such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system resources within the network. The known components of the identified Havex payload do not appear to target devices using the newer OPC Unified Architecture (UA) standard.
InduSoft: Note that according to the information from US-CERT about Havex and the C&C Server, the malware targets users of OPC communication using OPC DA Drivers. OPC DA uses classic DCOM, and provides the malware with information about the computer and connected resources, which is then transmitted to the C&C server. At this point, it is believed that no actual attempts to control any Industrial Control Systems have been attempted with this information, however it could occur in the future on infected machines and networks using OPC DA. Customers already using OPC UA supported by InduSoft Web Studio have the benefit of a built-in security model, providing authentication and authorization along with encryption and data integrity via signatures that the malware cannot read or penetrate.
What will the malware do if my machine is compromised or infected?
US-CERT: It is important to note that ICS-CERT testing has determined that the Havex payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.
InduSoft: Customers using the OPC-DA Driver could experience unexplainable machine crashes as described above.
What should customers do to protect their SCADA or Industrial Control Systems?
US-CERT: Both the Symantec and F-Secure reports include technical indicators of compromise that can be used for detection and network defense. ICS-CERT strongly recommends that organizations check their network logs for activity associated with this campaign. Any organization experiencing activity related to this report should preserve available evidence for forensic analysis and future law enforcement purposes. For more questions about incident handling or preserving data, please reference ICS-CERT Incident Handling guidelines.
OPC specific recommendations include:
- Enforce strict access control lists and authentication protocols for network level access to OPC clients and servers.
- Consider using OPC tunneling technologies to avoid exposure of any legacy DCOM based OPC services.
- When using OPC .NET based communications, ensure that the HTTP server enforces proper authentication and encryption of the OPC communications for both clients and servers.
- Leverage the OPC Security specification when possible.
InduSoft: In addition to the information provided by US-CERT, customers currently using the OPC-DA driver are encouraged to change their drivers to OPC-UA and utilize the built-in security protocols. Additionally, customers are encouraged to immediately update their antivirus software so that if the malware has been inadvertently installed on any SCADA machine, that it is detected and removed.
InduSoft also has several blogs on product security and security techniques that you also may find useful:
If you have any further questions regarding SCADA security or if you need any assistance with your application in regard to keeping your system secure, please contact us:
General product questions or questions about this blog:
Assistance with configuring security correctly in your application or if you believe that your system may be compromised:
Contact Technical Support at 877-INDUSOFT (877-463-8763) or outside of the US or Canada at 512.349.0334
or firstname.lastname@example.org or by Online Chat on our website by selecting “Support” from the Chat interface menu.
Support hours: M-F 8:30am and 5:30pm, CST (UTC-6) Summer (UTC-5)