ClearEnergy ransomware can destroy process automation logics in critical infrastructure, SCADA and industrial control systems.


Schneider Electric, Allen-Bradley, General Electric (GE) and more vendors are vulnerable to ClearEnergy ransomware.

Researchers at CRITIFENCE® Critical Infrastructure and SCADA/ICS Cyber Threats Research Group have demonstrated this week a new proof of concept ransomware attack aiming to erase (clear) the ladder logic diagram in Programmable Logic Controllers (PLCs). The ransomware a.k.a ClearEnergy affects a massive range of PLC models of world’s largest manufacturers of SCADA and Industrial Control Systems. This includes Schneider Electric Unity series PLCs and Unity OS from version 2.6 and later, other PLC models of leading vendors include GE and Allen-Bradley (MicroLogix family) which are also found to be vulnerable to the ransomware attack.ransomware attack.ransomware a.k.a ClearEnergy affects a massive range of PLC models of world’s largest manufacturers of SCADA and Industrial Control Systems. This includes Schneider Electric Unity series PLCs and Unity OS from version 2.6 and later, other PLC models of leading vendors include GE and Allen-Bradley (MicroLogix family) which are also found to be vulnerable to the ransomware attack.

Ransomware is a type of malware that infects computers and encrypts their content with strong encryption algorithms, and then demands a ransom to decrypt that data. “ClearEnergy attack is based on the most comprehensive and dangerous vulnerability that ever found in Critical Infrastructure, SCADA and ICS Systems, and affects a wide range of vulnerable products from different manufacturers and vendors. These attacks target the most important assets and critical infrastructure and not just because they are easy to attack but also hard to be recovered”. Says Brig. Gen. (ret.) Rami Ben Efraim, CEO at CRITIFENCE.

In 2016 we have seen a rise in ransomware, where the victims were businesses or public organizations that on one hand had poor security and on the other hand the alternative cost of losing business continuity was high. Last year there were reports of a targeted ransomware for PC and other workstation within critical infrastructure, SCADA and industrial control systems. A month ago, scientists from the School of Electrical and Computer Engineering in Georgia Institute of Technology have simulated a proof-of-concept ransomware attack (LogicLocker) in a limited scope designed to attack critical infrastructure, SCADA and industrial control systems.

ClearEnergy acts similarly to other malicious ransomware programs that infect computers and encrypts their content with strong encryption algorithms, and then demands a ransom to decrypt that data back to its original form, with one major difference. ClearEnergy is a malicious ransomware attack designed to target Critical Infrastructure and SCADA systems such nuclear and power plant facilities, water and waste facilities, transportation infrastructure and more.

“Although the codename ClearEnergy, the vulnerabilities behind ClearEnergy ransomware takes us to our worst nightmares where cyber-attacks meets critical infrastructure. Attackers can now take down our electricity, our water supply and our oil and gas infrastructure by compromising power plants, water dams and nuclear plants. Critical Infrastructure are the place in which terrorists, activists, criminals and state actors can make the biggest effect. They have the motivation, and ClearEnergy shows that they have also the opportunity.” Says Brig. Gen. (ret.) Rami Ben Efraim, CEO at CRITIFENCE.

Once ClearEnergy is executed on the victim machine it will search for vulnerable PLCs in order to grab the ladder logic diagram from the PLC and will try to upload it to a remote server. Finally ClearEnergy will start a timer that will trigger a process to wipe the logic diagram from all PLCs after one hour unless the victim will pay in order to cancel the timer and to stop the attack.

SCADA and Industrial Control Systems has been found to be weak in the recent years, against numerous types of attacks that result in damages in a form of loss of service which translate to a power outage, or sabotage. The damage that ClearEnergy attack can cause to the critical infrastructure is high since it can cause a power failure and other damages to field equipment, thus making the recovery process slow in most cases, and might even bring a plant to a halt.

ClearEnergy, which is based on vulnerabilities CVE-2017-6032 (SVE-82003203) and CVE-2017-6034 (SVE-82003204) that have been discovered by CRITIFENCE security researchers, disclosed profound security flaws in the UMAS protocol of the vendor Schneider Electric. UMAS protocol seems to suffer from critical vulnerabilities in the form of bad design of the protocol session key, which results in authentication bypass. “UMAS is a Kernel level protocol and an administrative control layer used in Unity series PLC and Unity OS from 2.6. It relies on the Modicon Modbus protocol, a common protocol in Critical Infrastructure, SCADA and industrial control systems and used to access both unallocated and allocated Memory from PLC to SCADA system. What worries our researchers is that it may not be entirely patched within the coming years, since it affecta a wide range of hardware and vendors.” Says Mr. Eran Goldstein, CTO and Founder of CRITIFENCE.

Following to the disclosure, Schneider Electric has confirmed that the Modicon family of PLCs products are vulnerable to the findings presented by CRITIFENCE and released an Important Cybersecurity Notification (SEVD-2017-065-01). ICS-CERT, Department of Homeland Security (DHS) released an important advisory earlier this morning ([April 11, 2017] ICSA-17-101-01). The basic flaws, which was confirmed by Schneider Electric, allows an attacker to guess a weak (1-byte length) session key easily (256 possibilities) or even to sniff it. Using the session key, the attacker is able to get a full control of the controller, to read controller’s program and rewriting it back with the malicious code.

“The recovery process from this type of cyber-attacks can be very hard and slow in most cases due to lack of management resources in the field of SCADA and process automation. Slow recovery process multiplied by the number of devices need be fixed, as well configuration restoration makes the recovery processes very painful”. Says Mr. Alexey Baltacov, Critical Infrastructure Architect at CRITIFENCE

“Recovering from such an attack would be a slow and tedious process, and prone to many failures. Every plant using PLC’s which is part of a production line and would have dozens of these devices all around the plant. Let’s assume that each PLC is indeed backed-up to its recent configuration. It would take a painstakingly long time to recover each and every one of them to its original status.” Says Mr. Eyal Benderski, Head of the Critical Infrastructure and SCADA/ICS Cyber Threats Research Group at CRITIFENCE. “This restoration process would take a long time, on which the plant would be completely shut down. The costs of that shut down could be substantial, and for critical processes it could affect for more than the down-time, as it is the case with energy plants. Consider a process which relies on keeping a constant temperature for a biological agent or chemical process. Breaking the process chain could require re-initialization that may be days and weeks long. Furthermore, since dealing with the OT network is much more complicated for operational reasons, on many occasions plants don’t even have up-to-date backups, which would require complete reconfiguration of the manufacturing process. Given these complications, plants would very much prefer paying the ransom than dealing with the minor chance that the backups will work as expected. Lastly, let’s assume the backups went on-air as soon as possible, what would prevent the same attack from recurring, even after paying?”

About the author:

CRITIFENCE is a leading Critical Infrastructure, SCADA and Industrial Control Systems cyber security firm. The company developed and provides SCADAGate+ unique passive cyber security technology and solutions designed for Critical Infrastructure, SCADA and Industrial Control Systems visibility and vulnerability assessment,  which allow to monitor, control and to analyze OT network cyber security events and vulnerabilities easily and entirely passively. CRITIFENCE development team and Critical Infrastructure and SCADA/ICS Cyber Threats Research Group combined from top experienced SCADA and cyber security experts and researchers of the IDF’s Technology & Intelligence Unit 8200 (Israel’s NSA) and the Israeli Air Force (IAF).

For more information about CRITIFENCE refer to:







Source code

ClearEnergy | UMASploit –


Schneider Electric – SEVD-2017-065-01

ICS-CERT, Department of Homeland Security (DHS) – ICSA-17-101-01



SecurityAffairs –

0xICF –

VirusGuides –


Physical Backdoor | Remote Root Vulnerability in HID Door Controllers

If you’ve ever been inside an airport, university campus, hospital, government complex, or office building, you’ve probably seen one of HID’s brand of card readers standing guard over a restricted area. HID is one of the world’s largest manufacturers of access control systems and has become a ubiquitous part of many large companies’ physical security posture. Each one of those card readers is attached to a door controller behind the scenes, which is a device that controls all the functions of the door including locking and unlocking, schedules, alarms, etc.

In recent years, these door controllers have been given network interfaces so that they can be managed remotely. It is very handy for pushing out card database updates and schedules, but as with everything else on the network, there is a risk of remotely exploitable vulnerabilities. And in the case of physical security systems, that risk is more tangible than usual.

HID’s two flagship lines of door controllers are their VertX and Edge platforms. In order for these controllers to be easily integrated into existing access control setups, they have a discoveryd service that responds to a particular UDP packet. A remote management system can broadcast a “discover” probe to port 4070, and all the door controllers on the network will respond with information such as their mac address, device type, firmware version, and even a common name (like “North Exterior Door”). That is the only purpose of this service as far as I can tell. However, it is not the only function of this service. For some reason, discoveryd also contains functionality for changing the blinking pattern of the status LED on the controller. This is accomplished by sending a “command_blink_on” packet to the discoveryd service with the number of times for the LED to blink. Discoveryd then builds up a path to /mnt/apps/bin/blink and calls system() to run the blink program with that number as an argument.

And you can probably guess what comes next.

A command injection vulnerability exists in this function due to a lack of any sanitization on the user-supplied input that is fed to the system() call. Instead of a number of times to blink the LED, if we send a Linux command wrapped in backticks, like `id`, it will get executed by the Linux shell on the device. To make matters worse, the discovery service runs as root, so whatever command we send it will also be run as root, effectively giving us complete control over the device. Since the device in this case is a door controller, having complete control includes all of the alarm and locking functionality. This means that with a few simple UDP packets and no authentication whatsoever, you can permanently unlock any door connected to the controller. And you can do this in a way that makes it impossible for a remote management system to relock it. On top of that, because the discoveryd service responds to broadcast UDP packets, you can do this to every single door on the network at the same time!

Needless to say, this is a potentially devastating bug. The Zero Day Initiative team worked with HID to see that it got fixed, and a patch is reportedly available now through HID’s partner portal, but I have not been able to verify that fix personally. It also remains to be seen just how quickly that patch will trickle down into customer deployments. TippingPoint customers have been protected ahead of a patch for this vulnerability since September 22, 2015 with Digital Vaccine filter 20820.



Credit:  Ricky Lawshae

Kemuri Water Company (KWC) | Hackers change chemical settings at water treatment plant

The unnamed water district had asked Verizon to assess its networks for indications of a security breach. It said there was no evidence of unauthorized access, and the assessment was a proactive measure as part of ongoing efforts to keep its systems and networks healthy.

Verizon examined the company’s IT systems, which supported end users and corporate functions, as well as Operational Technology (OT) systems, which were behind the distribution, control and metering of the regional water supply.

The assessment found several high-risk vulnerabilities on the Internet-facing perimeter and said that the OT end relied heavily on antiquated computer systems running operating systems from 10 or more years ago.

Many critical IT and OT functions ran on a single IBM AS/400 system which the company described as its SCADA (Supervisory Control and Data Acquisition) platform. This system ran the water district’s valve and flow control application that was responsible for manipulating hundreds of programmable logic controllers (PLCs), and housed customer and billing information, as well as the company’s financials.

Interviews with the IT network team uncovered concerns surrounding recent suspicious cyber activity and it emerged that an unexplained pattern of valve and duct movements had occurred over the previous 60 days. These movements consisted of manipulating the PLCs that managed the amount of chemicals used to treat the water to make it safe to drink, as well as affecting the water flow rate, causing disruptions with water distribution, Verizon reported.

An analysis of the company’s internet traffic showed that some IP addresses previously linked to hacktivist attacks had connected to its online payment application.

Verizon said that it “found a high probability that any unauthorized access on the payment application would also expose sensitive information housed on the AS/400 system.” The investigation later showed that the hackers had exploited an easily identified vulnerability in the payment application, leading to the compromise of customer data. No evidence of fraudulent activity on the stolen accounts could be confirmed.

However, customer information was not the full extent of the breach. The investigation revealed that, using the same credentials found on the payment app webserver, the hackers were able to interface with the water district’s valve and flow control application, also running on the AS/400 system.

During these connections, they managed to manipulate the system to alter the amount of chemicals that went into the water supply and thus interfere with water treatment and production so that the recovery time to replenish water supplies increased. Thanks to alerts, the company was able to quickly identify and reverse the chemical and flow changes, largely minimizing the impact on customers. No clear motive for the attack was found, Verizon noted.

The company has since taken remediation measures to protect its systems.

In its concluding remarks on the incident, Verizon said: “Many issues like outdated systems and missing patches contributed to the data breach — the lack of isolation of critical assets, weak authentication mechanisms and unsafe practices of protecting passwords also enabled the threat actors to gain far more access than should have been possible.”

Acknowledging that the company’s alert functionality played a key role in detecting the chemical and flow changes, Verizon said that implementation of a “layered defense-in-depth strategy” could have detected the attack earlier, limiting its success or preventing it altogether.


About the attack [UPDATED]

A “hacktivist” group with ties to Syria compromised Kemuri Water Company’s computers after exploiting unpatched web vulnerabilities in its internet-facing customer payment portal, it is reported.

The hack – which involved SQL injection and phishing – exposed KWC’s ageing AS/400-based operational control system because login credentials for the AS/400 were stored on the front-end web server. This system, which was connected to the internet, managed programmable logic controllers (PLCs) that regulated valves and ducts that controlled the flow of water and chemicals used to treat it through the system. Many critical IT and operational technology functions ran on a single AS400 system, a team of computer forensic experts from Verizon subsequently concluded.

Our endpoint forensic analysis revealed a linkage with the recent pattern of unauthorised crossover. Using the same credentials found on the payment app webserver, the threat actors were able to interface with the water district’s valve and flow control application, also running on the AS400 system. We also discovered four separate connections over a 60-day period, leading right up to our assessment.During these connections, the threat actors modified application settings with little apparent knowledge of how the flow control system worked. In at least two instances, they managed to manipulate the system to alter the amount of chemicals that went into the water supply and thus handicap water treatment and production capabilities so that the recovery time to replenish water supplies increased. Fortunately, based on alert functionality, KWC was able to quickly identify and reverse the chemical and flow changes, largely minimising the impact on customers. No clear motive for the attack was found.

Verizon’s RISK Team uncovered evidence that the hacktivists had manipulated the valves controlling the flow of chemicals twice – though fortunately to no particular effect. It seems the activists lacked either the knowledge of SCADA systems or the intent to do any harm.

The same hack also resulted in the exposure of personal information of the utility’s 2.5 million customers. There’s no evidence that this has been monetized or used to commit fraud.

Nonetheless, the whole incident highlights the weaknesses in securing critical infrastructure systems, which often rely on ageing or hopelessly insecure setups.




More Information

Monzy Merza, Splunk’s director of cyber research and chief security evangelist, commented: “Dedicated and opportunistic attackers will continue to exploit low-hanging fruit present in outdated or unpatched systems. We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the internet.”

“Beyond the clear need to invest in intrusion detection, prevention, patch management and analytics-driven security measures, this breach underscores the importance of actionable intelligence. Reports like Verizon’s are important sources of insight. Organisations must leverage this information to collectively raise the bar in security to better detect, prevent and respond to advanced attacks. Working collectively is our best route to getting ahead of attackers,” he added.

Reports that hackers have breached water treatment plants are rare but not unprecedented. For example, computer screenshots posted online back in November 2011 purported to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas by hackers who claimed to have pwned its systems. The claim followed attempts by the US Department of Homeland Security to dismiss a separate water utility hack claim days earlier.

More recently hackers caused “serious damage” after breaching a German steel mill and wrecking one of its blast furnaces, according to a German government agency. Hackers got into production systems after tricking victims with spear phishing emails, said the agency.

Spear phishing also seems to have played a role in attacks lining the BlackEnergy malware against power utilities in the Ukraine and other targets last December. The malware was used to steal user credentials as part of a complex attack that resulted in power outages that ultimately left more than 200,000 people temporarily without power on 23 December.


Credit:  watertechonline, theregister

OnionDog APT targets Critical Infrastructures and Industrial Control Systems (ICS)

The Helios Team at 360 SkyEye Labs revealed that a group named OnionDog has been infiltrating and stealing information from the energy, transportation and other infrastructure industries of Korean-language countries through the Internet.


OnionDog’s first activity can be traced back to October, 2013 and in the following two years it was only active between late July and early September. The self-set life cycle of a Trojan attack is 15 days on average and is distinctly organizational and objective-oriented.

OnionDog malware is transmitted by taking advantage of the vulnerability of the popular office software Hangul in Korean-language countries, and it attacked network-isolated targets through a USB worm.

Targeting the infrastructure industry

OnionDog concentrated its efforts on infrastructure industries in Korean-language countries. In 2015 this organization mainly attacked harbors, VTS, subways, public transportation and other transportation systems. In 2014 it attacked many electric power and water resources corporations as well as other energy enterprises.

The Helios Team has found 96 groups of malicious code, 14 C&C domain names and IP related to OnionDog. It first surfaced in October 2013, and then was most active in the summers of the following years. The Trojan set its own “active state” time and the shortest was be three days and maximum twenty nine days, from compilation to the end of activity. The average life cycle is 15 days, which makes it more difficult for the victim enterprises to notice and take actions than those active for longer period of time.

OnionDog’s attacks are mainly carried out in the form of spear phishing emails. The early Trojan used icons and file numbers to create a fake HWP file (Hangul’s file format). Later on, the Trojan used a vulnerability in an upgraded version of Hangul, which imbeds malicious code in a real HWP file. Once the file is opened, the vulnerability will be triggered to download and activate the Trojan.

Since most infrastructure industries, such as the energy industry, generally adopt intranet isolation measures, OnionDog uses the USB disk drive ferry to break the false sense of security of physical isolation. In the classic APT case of the Stuxnet virus, which broke into an Iranian nuclear power plant, the virus used an employee’s USB disk to circumvent network isolation. OnionDog also used this channel and generated USB worms to infiltrate the target internal network.

“OCD-type” intensive organization

In the Malicious Code activities of OnionDog, there are strict regulations:

First, the Malicious Code has strict naming rules starting from the path of created PDB (symbol file). For example, the path for USB worm is APT-USB, and the path for spear mail file is APT-WebServer;

When the OnionDog Trojan is successfully released, it will communicate to a C&C (Trojan server), download other malware and save them in the %temp% folder and use “XXX_YYY.jpg” uniformly as the file name. These names have their special meaning and usually point to the target.

All signs show that OnionDog has strict organization and arrangement across its attack time, target, vulnerability exploration and utilization, and malicious code. At the same time, it is very cautious about covering up its tracks.

In 2014, OnionDog used many fixed IPs in South Korea as its C&C sites. Of course, this does not mean that the attacker is located in South Korea. These IPs could be used as puppets and jumping boards. By 2015, OnionDog website communications were upgraded to Onion City across the board. This is so far a relatively more advanced and covert method of network communication among APT attacks.

Onion City means that the deep web searching engine uses Tor2web agent technology to visit the anonymous Tor network deeply without using the Onion Brower specifically. And OnionDog uses the Onion City to hide the Trojan-controlling server in the Tor network.

In recent years, APT attacks on infrastructure facilities and large-scale enterprises have frequently emerged. Some that attack an industrial control system, such as Stuxnet, Black Energy and so on, can have devastating results. Some attacks are for the purpose of stealing information, such as the Lazarus hacker organization jointly revealed by Kaspersky, AlienVault lab and Novetta, and OnionDog which was recently exposed by the 360 Helios team. These secret cybercrimes can cause similarly serious losses as well.



Credit:  helpnetsecurity

[CRITICAL] CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

Have you ever been deep in the mines of debugging and suddenly realized that you were staring at something far more interesting than you were expecting? You are not alone! Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting. Thanks to this engineer’s keen observation, we were able determine that the issue could result in remote code execution. We immediately began an in-depth analysis of the issue to determine whether it could be exploited, and possible fixes. We saw this as a challenge, and after some intense hacking sessions, we were able to craft a full working exploit!

In the course of our investigation, and to our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July, 2015. (bug). We couldn’t immediately tell whether the bug fix was underway, so we worked hard to make sure we understood the issue and then reached out to the glibc maintainers. To our delight, Florian Weimer and Carlos O’Donell of Red Hat had also been studying the bug’s impact, albeit completely independently! Due to the sensitive nature of the issue, the investigation, patch creation, and regression tests performed primarily by Florian and Carlos had continued “off-bug.”

This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users.

That patch is available here.


Issue Summary:

Our initial investigations showed that the issue affected all the versions of glibc since 2.9. You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.


Technical information:

glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated. Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow. The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.


Remote code execution is possible, but not straightforward. It requires bypassing the security mitigations present on the system, such as ASLR. We will not release our exploit code, but a non-weaponized Proof of Concept has been made available simultaneously with this blog post. With this Proof of Concept, you can verify if you are affected by this issue, and verify any mitigations you may wish to enact. As you can see in the below debugging session we are able to reliably control EIP/RIP.

(gdb) x/i $rip => 0x7fe156f0ccce <_nss_dns_gethostbyname4_r+398>: req (gdb) x/a $rsp 0x7fff56fd8a48: 0x4242424242424242 0x4242424242420042

When code crashes unexpectedly, it can be a sign of something much more significant than it appears; ignore crashes at your peril! Failed exploit indicators, due to ASLR, can range from:

  • Crash on free(ptr) where ptr is controlled by the attacker.
  • Crash on free(ptr) where ptr is semi-controlled by the attacker since ptr has to be a valid readable address.
  • Crash reading from memory pointed by a local overwritten variable.
  • Crash writing to memory on an attacker-controlled pointer.

We would like to thank Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O’Donell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development.



Credit:  Fermin J. Serna and Kevin Stadmeyer

Industrial Control Systems (ICS/SCADA) and Cyber Security

It’s a cyber war out there! Is your company ready for battle?

Industry is slowly waking up to the fact that its facilities are in the crosshairs, the targets of cyber attacks by bad actors trying to exploit vulnerabilities in industrial control systems (ICSs) to steal intellectual property or damage critical equipment.

Whether caused by sophisticated hacking teams assembled by nation states, cyber criminal organizations, potential competitors, disgruntled or careless employees, or just bored teenagers in their bedrooms, cyber intrusions into industrial facilities now number in the hundreds of thousands every year. Even unintentional cyber incidents can cause damage.

The result can be more dangerous than stolen credit card numbers or government personnel information, because it can cause real physical damage like a destroyed or damaged power plant, water system, chemical plant, or oil and gas facility. Attacks like these could bring a region or even an entire nation to its knees. But even smaller-scale events, such as hackers taking over control of cars on a busy interstate, or manipulating the recipe controls at a food processing plant, could wreak havoc.

In exploring this issue, one fact stands out: industrial control systems were never designed to be secure. Many have also been in place for 20 or 30 years, long before cybersecurity became an issue. It’s no wonder that retrofitting this massive installed base to overcome 21st century cyber vulnerabilities can seem like an insurmountable task.

Digital threats, physical dangers

“Everyone’s concerned about viruses and worms, but Stuxnet never killed anyone,” says Joe Weiss of Applied Control Solutions, who has amassed a database of more than 750 actual control system cyber incidents. “Compromised industrial control systems, on the other hand, have caused significant electrical outages, environmental and equipment damage, and even killed people.”

Weiss is managing director of the ISA99 committee, which helped develop the ISA/IEC 62443 series of standards on industrial automation and control systems security. “IT people are focused on vulnerabilities from information loss, but it’s the impact of ICS failures on equipment, people and the environment that matters to industrial control professionals,” he says. “Not every ICS cyber vulnerability is critical. We need to focus on what can affect control system operation so that end users can prioritize threats to system reliability and safety.”

Weiss sees his role as waking industry up to the real dangers it faces from compromised control systems. “Industry is a backwater when it comes to cybersecurity,” he says. “We don’t have the systems, the training or the technologies to address it because too many people still don’t believe it’s real.”

He takes a broader view of cybersecurity than many people, citing the emissions fraud at Volkswagen, where software was intentionally manipulated to falsify test results. “Industrial control lies more and more within the digital world,” he says. “Anything that changes the intent of the control system function, whether or not it’s with malicious intent, is a cyber issue.”

The enemy is often us

Companies may think they’re safe if their manufacturing systems are not connected to the Internet, but it turns out the biggest threat comes from their own employees.

“There’s no such thing as an air gap,” says Ben Orchard, applications engineer at Opto 22, referring to control systems that aren’t connected to the Internet. “Malicious software (malware) is chiefly introduced into control systems by employees, vendors or contractors who plug devices like an infected smartphone into a computer’s USB port to charge it or bring in a corrupted thumb drive.”

Since people are the biggest weakness in any security system, Orchard recommends disabling or even filling in non-essential USB ports with epoxy. Other basics include only executing software that’s been cryptographically signed by a trusted source, locking down the operating system so that no email or web browsing is allowed, and constant monitoring of control network traffic.

If you’re looking for proven practices to improve the cybersecurity of your facilities or production systems, Orchard recommends the ones developed by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security. The guidelines address best practices like defense-in-depth, security zoning and encryption.

“They’ve done an astoundingly good job of assembling logical, practical, real-world advice,” he emphasizes. In particular, Orchard recommends downloading the first document in the series, “Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies” (see “More Sources for Security Guidance,”).

Help is a call away

Automation suppliers are actively engaged in the cyber battle. Vendors are continually adding new levels of security to their products and providing a range of customer education and support services.

Honeywell Process Solutions has fielded a team of more than 85 experts who can provide vendor-agnostic risk analysis, perform forensics, and help customers establish security policies, says Mike Baldi, cybersecurity architect for the company. Honeywell has also created a lab in Georgia to demonstrate and validate security solutions for customers, as well as train its own engineers.

Honeywell’s industrial cybersecurity risk manager software for continuous monitoring provides real-time, continuous monitoring of threats, vulnerabilities and risks specific to a control system, providing immediate notification of weaknesses in security.

“We’ll always be chasing evildoers,” Baldi says, “so advanced analytics are crucial, not just to analyze the latest attack but to identify patterns in these attacks that can guide us to the best solutions. It’s essential that companies analyze threat risk, test solutions at installation and maintain security over the life of a system.”

Turning control security on its head

Bedrock Automation is a company that’s making waves in the world of industrial control with a revolutionary platform that integrates an inside-out, bottom-up approach to cybersecurity.

“The cybersecurity issue was the catalyst for the creation of our new control platform. It’s software-defined automation,” says Albert Rooyakkers, CTO and engineering vice president for Bedrock.

Cybersecurity concerns were the catalyst for Bedrock Automation’s new control platform.

The company says the Bedrock system—created by a team of engineering experts from the automation and semiconductor industries—can function as a PLC, DCS, RTU or safety system. Bedrock is using independent system integrators and high-tech distributors as its channels to the market.

“This platform unification was the big breakthrough, something the major automation suppliers have never been able to achieve,” Rooyakkers says. “The incremental security improvements they’ve been doing for years are not likely to work because there are too many gaps to patch. It’s like taking a stick to a gunfight.”

According to research firm Frost & Sullivan, which cited the company’s work with its 2015 Best Practices Award for Industrial Control System Innovation, “Bedrock Automation has designed a control system with layered and embedded cybersecurity features, starting at the transistor level using secure microcontroller technology that includes secure memory, hardware accelerators and true random number generators.”

Rooyakkers adds, “ICS security in the cyber age will require a complete rethinking of control system design. Standards and best practices are being developed, but it will take a generation at the current pace of progress to achieve the level of security industry needs today.”

Hardening hardware and software

Given that most companies can’t afford a wholesale replacement of their existing control systems, many automation vendors are focused on making incremental improvements to harden their software and hardware.

Among the latest cybersecurity introductions by Emerson Process Management for its DeltaV control platform is a suite of cybersecurity software products from Intel Security’s McAfee Labs, including traditional antivirus, centralized whitelisting of applications allowed to run, security information and event management (SIEM) to perform analytics on events on everything from firewalls to operator stations, and network monitoring to identify unusual network communications.

“We’ve been hardening the control system with every DeltaV release,” says Neil Peterson, DeltaV product marketing director. “With the addition of SIEM, for example, you now have a tool that can manage the cybersecurity health of the control system as a whole, alerting you to unusual circumstances that need to be checked out. These include unauthorized communication attempts on your firewall and failed log-on attempts.”

There’s no silver bullet for cybersecurity, says Rick Gorskie, manager of Emerson’s asset strategy and management program. “Security requires a multilayered approach that combines technology, practices and people,” he says. “That furnace meltdown at a German steel mill purportedly started when someone clicked on a phishing email infected with malware, which allowed hackers to make their way down the network to attack the blast furnace.”

Gorskie says incidents like that are why he’s received more customer questions about security in the past year than in the previous 20 years. “We’re getting more board-level interest than ever before, and they’re starting to fund some serious projects because they want to avoid shutdowns,” Peterson adds. “Security is very hard and it requires shared responsibility. We develop systems with locks, but it requires ongoing vigilance to keep them secure. You can’t set it and forget it.”

More than networks

“Security is more than a network issue,” says Clark Case, security platform leader for Rockwell Automation. “Content (intellectual property) protection, tamper detection, user authentication and access control are just as important.”

While user concerns vary by industry and customer, Case says, “machine builders who ship their equipment offshore are particularly concerned about IP protection, so we’re releasing software licensing technology so they can control access to their source code.”

Rockwell has introduced a number of products and services to help customers design, deploy and maintain more secure control systems, according to Case. The company’s FactoryTalk AssetCentre software, for example, lets users see who is making changes to the control system and what changes have been made, including which machine the changes were made on and who was logged on at the time.

“We’re also making our controllers more secure in the design and manufacturing process so that they’re resilient to standard attacks,” Case adds. In addition to fielding a security incident response team for its products, Rockwell works closely with security groups like ICS-CERT.

“Companies need to step back and take a broader look at system risks—what bad things can be done, and how best to address them,” Case says. “Companies doing the best at mitigating cybersecurity risks have people on staff who are responsible for control system security. Fortunately, there are a growing number of operations technology people with the required skillsets.”

Different worlds

Cybersecurity is that much more important in manufacturing. “When there’s a breach in the IT world, you can take the system down and fix it,” explains Jeff Caldwell, chief architect for cybersecurity at Belden. “But in the industrial world, you have to continue to operate when there’s a problem. You can’t have power plants shutting down or planes falling from the sky. Industry’s primary concerns are resilience, uptime and safety. Cybersecurity is just a segment of that.”

Belden promotes a safe networking architecture that includes every device connected to those networks. “Consequently, we’ve developed cybersecurity solutions for all seven layers of the ISO stack,” Caldwell says.

Key elements of this architecture include security zoning; system change management; intrusion radiation protection to identify, halt and report invalid and anomalous traffic; security sentinels at every network juncture; layer 2 deep packet inspection in front of PLCs and RTUs as well as between security zones; authentication for user and administrator access; encryption of VPN traffic information; and secure wireless.

Belden recently acquired TripWire, a company that specializes in system change management, as part of a cybersecurity product portfolio that includes Tofino layer 2 firewalls with industrial protocol deep packet inspection.

Being knowledgeable about industrial protocols is essential to any control system security solution, Caldwell says. “IT uses gigantic signature files to identify patterns that indicate security problems, but that doesn’t work in the industrial world where communications often flow over serial cables that can’t carry large files,” he says. “Let’s face it: The IT world has failed at control system security. You just can’t jam IT solutions onto control systems and make them work. Only 20 percent of industrial cyber incidents are intentional, and disgruntled employees cause half of those. Just 10 percent come from hackers. That’s why it’s critical to protect against everything.”

This is not a test

“Most manufacturers have some degree of security preparedness in place, but it’s unknown whether these steps are enough to repel a full-scale targeted assault on a facility,” cautions Richard Clark, technical marketing specialist for SCADA cybersecurity at Schneider Electric Software, which includes InduSoft and Wonderware. “It seems more likely, as has been demonstrated in several modeling and public test sessions by ICS-CERT at Idaho National Lab, that such an attack would be successful because most engineers and IT personnel would not know how to react properly to such an event.”

Manufacturers need to ask themselves what damage could be caused at their facility if a targeted attack succeeded and their production system was shut down for weeks, Clark says. “These are the type of what-if scenarios that are frequently never explored. Few security managers or engineering teams have performed a single-point failure analysis of their facility, and even fewer have ever done a formal risk assessment using the results of the analysis,” he says. “This is especially irresponsible since there are excellent tools to help them find answers to these questions and determine if they are dedicating enough resources to safeguarding their facilities from a breach or control system malfunction.”

Clark says forward-looking security engineers and IT personnel have begun using automation to assist them in preventing attacks, combining security solutions to create what is known as defense-in-depth. These layers of disparate security measures can virtually surround critical assets and infrastructure.

“Once customers make the effort to begin to understand the nature of these threats to their facilities, products and employees, the safer and more operationally efficient they will become,” he says.

More Sources for Security Guidance

ICS-CERT Guidelines >>

Belden Security Blogs >>

Schneider Electric/InduSoft Security eBooks >>

NIST Cybersecurity Framework Gap Analysis Tool >>

PBS Nova Program on Cybersecurity >>

ISA 99/ISA/IEC 62443 Guidelines >>




Credit:  , automationworld

BlackEnergy Attacking Ukraine’s Critical Infrastructures

The cybercriminal group behind BlackEnergy, the malware family that has been around since 2007 and has made a comeback in 2014 (see our previous blog posts on Back in BlackEnergy *: 2014 Targeted Attacks in Ukraine and Poland and BlackEnergy PowerPoint Campaigns, as well as ourVirus Bulletin talk on the subject), was also active in the year 2015.

ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry. In this blog, we provide details on the BlackEnergy samples ESET has detected in 2015, as well as the KillDisk components used in the attacks. Furthermore, we examine a previously unknown SSH backdoor that was also used as another channel of accessing the infected systems, in addition to BlackEnergy.

BlackEnergy evolution in 2015

Once activated, variants of BlackEnergy Lite allow a malware operator to check specific criteria in order to assess whether the infected computer truly belongs to the intended target. If that is the case, the dropper of a regular BlackEnergy variant is pushed to the system.

The BlackEnergy malware stores XML configuration data embedded in the binary of DLL payload.

Figure 1 – The BlackEnergy configuration example used in 2015

Figure 1 – The BlackEnergy configuration example used in 2015

Apart from a list of C&C servers, the BlackEnergy config contains a value called build_id. This value is a unique text string used to identify individual infections or infection attempts by the BlackEnergy malware operators. The combinations of letters and numbers used can sometimes reveal information about the campaign and targets.

Here is the list of Build ID values that we identified in 2015:

  • 2015en
  • khm10
  • khelm
  • 2015telsmi
  • 2015ts
  • 2015stb
  • kiev_o
  • brd2015
  • 11131526kbp
  • 02260517ee
  • 03150618aaa
  • 11131526trk

We can speculate that some of them have a special meaning. For example 2015telsmi could contain the Russian acronym SMI – Sredstva Massovoj Informacii, 2015en could mean Energy, and there’s also the obvious “Kiev”.

KillDisk component

In 2014 some variants of the BlackEnergy trojan contained a plugin designed for the destruction of the infected system, named dstr.

In 2015 the BlackEnergy group started to use a new destructive BlackEnergy component detected by ESET products as Win32/KillDisk.NBB, Win32/KillDisk.NBC and Win32/KillDisk.NBD trojan variants.

The main purpose of this component is to do damage to data stored on the computer: it overwrites documents with random data and makes the OS unbootable.

The first known case where the KillDisk component of BlackEnergy was used was documented by CERT-UA in November 2015. In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents were destroyed as a result of the attack.

It should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and delete. The complete list contains more than 4000 file extensions.


Figure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB

Figure 2 – A partial list of file extensions targeted for destruction by KillDisk.NBB

The KillDisk component used in attacks against energy companies in Ukraine was slightly different. Our analysis of the samples shows that the main changes made in the newest version are:

  • Now it accepts a command line argument, to set a specific time delay when the destructive payload should activate.
  • It also deletes Windows Event Logs : Application, Security, Setup, System.
  • It is less focused on deleting documents. Only 35 file extensions are targeted.
Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component

Figure 3 – A list of file extensions targeted for destruction by new variant of KillDisk component

As well as being able to delete system files to make the system unbootable – functionality typical for such destructive trojans – the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems.

Once activated, this variant of the KillDisk component looks for and terminates two non-standard processes with the following names:

  • komut.exe
  • sec_service.exe

We didn’t manage to find any information regarding the name of the first process (komut.exe).

The second process name may belong to software called ASEM Ubiquity, a software platform that is often used in Industrial control systems (ICS), or to ELTIMA Serial to Ethernet Connector. In case the process is found, the malware does not just terminate it, but also overwrites the executable file with random data.

Backdoored SSH server

In addition to the malware families already mentioned, we have discovered an interesting sample used by the BlackEnergy group. During our investigation of one of the compromised servers we found an application that, at first glance, appeared to be a legitimate SSH server called Dropbear SSH.

In the order to run the SSH server, the attackers created a VBS file with the following content:

Set WshShell = CreateObject(“WScript.Shell”)
WshShell.CurrentDirectory = “C:\WINDOWS\TEMP\Dropbear\”
WshShell.Run “dropbear.exe -r rsa -d dss -a -p 6789″, 0, false

As is evident here, the SSH server will accept connections on port number 6789. By running SSH on the server in a compromised network, attackers can come back to the network whenever they want.

However, for some reason this was not enough for them. After detailed analysis we discovered that the binary of the SSH server actually contains a backdoor.

Figure 4 – Backdoored authentication function in SSH server

Figure 4 – Backdoored authentication function in SSH server

As you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password passDs5Bu9Te7 was entered. The same situation applies to authentication by key pair – the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used.

Figure 5 – The embedded RSA public key in SSH server

Figure 5 – The embedded RSA public key in SSH server

ESET security solutions detect this threat as Win32/SSHBearDoor.A trojan.

Indicators of Compromise (IoC)

IP addresses of BlackEnergy C2-servers:

XLS document with malicious macro SHA-1:

BlackEnergy Lite dropper SHA-1:

BlackEnergy Big dropper SHA-1:

BlackEnergy drivers SHA-1:

KillDisk-components SHA-1:

VBS/Agent.AD trojan SHA-1:

Win32/SSHBearDoor.A trojan SHA-1:

Credit: welivesecurity