Microsoft Subnet An independent Microsoft community View more

Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove

Homeland Security's Cyber Emergency Response Team for Industrial Control Systems published a report covering common and sophisticated malware discovered in the ICS environment that targeted America's critical infrastructure in 2012. Meanwhile, at the 29th Chaos Communication Congress, the SCADA Strangelove presentation revealed 20 new SCADA vulnerabilities.

The Department of Homeland Security's Cyber Emergency Response Team for Industrial Control Systems (ICS-CERT) reported that during the fiscal year 2012, it "responded to 198 cyber incidents." Forty one percent of the attacks were against the energy sector, followed by 15% that targeted the water sector. This does not include the Springfield Illinois water utility that was reportedly hacked via an IP located in Russia. The feds said there was no evidence of a cyber-intrusion there. The image below shows the Fiscal Year 2012 ICS vulnerability incidents by sectors.

The October/November/December 2012 ICS-CERT monitor [PDF] begins with:

ICS-CERT recently provided onsite support at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment. The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive's operation. The employee routinely used this USB drive for backing up control systems configurations within the control environment.

When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits. Initial analysis caused particular concern when one sample was linked to known sophisticated malware. Following analysis and at the request of the customer, an onsite team was deployed to their facility where the infection occurred.

After determining that "sophisticated malware existed on the two engineering workstations, attention shifted quickly to the remaining eleven operator stations in the control environment. Manual analysis using the known characteristics of the malware revealed no signs of the malicious software on these operator stations." This seems to correlate with what was previously suggested by a University of Tel Aviv research team; that antivirus software may be a waste of money when it comes to new viruses. The researchers "tested 82 new malware files against 40 antivirus products and found that the antivirus programs detected exactly none of them."

Further down in the ICS-CERT report there is more information regarding a virus infection at an electric utility.

In early October 2012, a power company contacted ICS-CERT to report a virus infection in a turbine control system which impacted approximately ten computers on its control system network. Discussion and analysis of the incident revealed that a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades. Unknown to the technician, the USB-drive was infected with crimeware. The infection resulted in downtime for the impacted systems and delayed the plant restart by approximately 3 weeks.

You may recall the supposed Firesheep moment for SCADA which made hacking critical infrastructure systems as easy as pushing a button, but the report mentions Project SHINE (SHodan INtelligence Extraction) in which two researchers compiled a list of nearly 500,000 Internet-facing control systems and demonstrated "the ease the with which critical infrastructure devices can be discovered on the Internet." The researchers showed ICS-CERT this database of 460,000 IP addresses that they found by using SHODAN. "As SHODAN is freely available, anyone with malicious intent could locate these devices and attempt logon, leaving these systems vulnerable to attack. Once accessed, these devices may be used as an entry point onto a control systems network, making their Internet-facing configuration a major vulnerability to critical infrastructure."

After working with various partners, ICS-CERT "shortened the list to approximately 98,000 organizations within the United States. Further evaluation indicated that many of these logon sites were not directly associated with critical control devices and the list was again reduced to approximately 7,200 devices in the United States that appear to be directly related to control systems."

The reportĀ  [PDF] is an interesting read. In total for 2012, ICS-CERT tracked 171 unique vulnerabilities affecting ICS products. The top 10 vulnerability types included: Buffer Overflow, Input Validation, Resource Exhaustion, Authentication, Cross-site Scripting, Path Traversal, Resource Management, Access Control, Hard-coded Password, DLL Hijacking.

The total list of vulnerabilities can be found in the report, but do not include the zero-days that security firm ReVuln won't share with ICS-CERT or the vendors. A month ago, ReVuln posted a video to promote nine zero-day SCADA (Supervisory Control and Data Acquisition) exploits that target software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. These vulnerabilities are for sale to government or other highest bidders.

According to ReVuln, the zero-days would "allow attackers to remotely execute arbitrary code, download arbitrary files, execute arbitrary commands, open remote shells or hijack sessions on systems running the vulnerable SCADA software." ReVuln told Lucian Constantin that "attackers can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service. They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure."

If SCADA interests you, then you might want to take the time to watch SCADA Strangelove, or "How I Learned to Start Worrying and Love Nuclear Plants." It was presented at the 29th Chaos Communication Congress (29C3) and revealed about "20 new vulnerabilities in common SCADA systems, including Simatic WinCC." The video demonstrates "how to obtain full access to a plant via: a sniffer and a packet generator; FTP and Telnet; Metasploit and OSQL; a webserver and a browser."

Happy New Year!

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the discussion
Be the first to comment on this article. Our Commenting Policies