Triton Malware Exploited Zero-Day in Schneider Electric Devices

The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric's Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization. The malware[1], designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.

Triton is designed to target Schneider Electric Triconex SIS devices, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation. The malware uses the TriStation proprietary protocol to interact with SIS controllers, including read and write programs and functions. Schneider initially believed that the malware had not leveraged any vulnerabilities in its product, but the company has now informed customers that Triton did in fact exploit a flaw in older versions of the Triconex Tricon system.

The company says the flaw affects only a small number of older versions and a patch will be released in the coming weeks. Schneider is also working on a tool - expected to become available next month - that detects the presence of the malware on a controller and removes it. Schneider has highlighted, however, that despite the existence of the vulnerability, the Triton malware would not have worked had the targeted organization followed best practices and implemented security procedures.

Specifically, the Triton malware can only compromise a SIS device if it's set to PROGRAM mode. The vendor recommends against keeping the controller in this mode when it's not actively configured. Had the targeted critical infrastructure organization applied this recommendation, the malware could not have compromised the device, even with the existence of the vulnerability, which Schneider has described as only one element in a complex attack scenario.

The company noted that its product worked as designed - it shut down systems when it detected a potentially dangerous situation - and no harm was incurred by the customer or their environment. In its advisory, Schneider also told customers that the malware is capable of scanning and mapping systems. "The malware has the capability to scan and map the industrial control system to provide reconnaissance and issue commands to Tricon controllers.

Once deployed, this type of malware, known as a Remotely Accessible Trojan (RAT), controls a system via a remote network connection as if by physical access," Schneider said. The industrial giant has advised customers to always implement the instructions in the "Security Considerations" section of the Triconex documentation. The guide recommends keeping the controllers in locked cabinets and even displaying an alarm whenever they are set to "PROGRAM" mode.

While it's unclear who is behind the Triton/Trisis attack, researchers agree that the level of sophistication suggests the involvement of a state-sponsored actor. Industrial cybersecurity and threat intelligence firm CyberX believes, based on its analysis of Triton, that the malware was developed by Iran[2] and the targeted organization was in Saudi Arabia. Related: Learn More at SecurityWeek's 2018 ICS Cyber Security Conference[3]

Related: DHS Warns of Malware Targeting Industrial Safety Systems[4]


  1. ^ malware (
  2. ^ developed by Iran (
  3. ^ Learn More at SecurityWeek's 2018 ICS Cyber Security Conference (
  4. ^ DHS Warns of Malware Targeting Industrial Safety Systems (

New KillDisk Variant Spotted in Latin America

A new variant of the disk-wiper malware known as KillDisk has been spotted by Trend Micro researchers in attacks aimed at financial organizations in Latin America. The security firm is in the process of examining the new variant and the attacks, but an initial analysis showed that the Trojan appears to be delivered by a different piece of malware or it may be part of a bigger attack. Early versions of KillDisk were designed to wipe hard drives in an effort to make systems inoperable.

The malware was used by the Russia-linked threat actor BlackEnergy in the 2015 attack[1] aimed at Ukraine's energy sector. Roughly one year after the Ukraine attack, researchers reported that its developers had turned KillDisk[2] into file-encrypting ransomware. However, the samples analyzed at the time used the same encryption key for all instances, making it possible for victims to recover files.

Experts later reported seeing a KillDisk ransomware designed to target Linux machines[3], but the malware did not save encryption keys anywhere, making it impossible to recover files. Some links[4] have also been found between KillDisk and the NotPetya malware, which initially appeared to be a piece of ransomware but later turned out to be a disk wiper. NotPetya hit machines in more than 65 countries and major companies reported losing[5] hundreds of millions of dollars as a result of the attack.

The latest variant[6], which Trend Micro tracks as TROJ_KILLDISK.IUB, goes back to its roots and focuses on deleting files and wiping the disk. The malware, designed to target Windows systems, goes through all drives in order to delete files, except for system files and folders. It then proceeds to wipe the disk, which includes reading the master boot record (MBR) and overwriting the extended boot record (EBR).

The file removal and disk wiping procedures involve overwriting files and disk sectors in order to make recovery more difficult. Once files and partitions have been deleted and overwritten, the malware attempts to terminate several processes in an effort to reboot the infected machine. By targeting processes associated with the client/server runtime subsystem (csrss.exe), Windows start-up (wininit.exe), Windows logon (winlogon.exe), and the Local Security Authority Subsystem Service (lsass.exe), the malware can force a blue screen of death (BSOD), a logout, or a restart.

Trend Micro has promised to share more information on the new KillDisk variant as its investigation continues. Related: Shamoon-Linked "StoneDrill" Malware Allows Spying, Destruction[7] Related: Meet MBR-ONI, Bootkit Ransomware Used as a Targeted Wiper[8]

Related: Web Hosting Provider Pays £1 Million to Ransomware Attackers[9]


  1. ^ attack (
  2. ^ turned KillDisk (
  3. ^ target Linux machines (
  4. ^ links (
  5. ^ losing (
  6. ^ latest variant (
  7. ^ Shamoon-Linked "StoneDrill" Malware Allows Spying, Destruction (
  8. ^ Meet MBR-ONI, Bootkit Ransomware Used as a Targeted Wiper (
  9. ^ Web Hosting Provider Pays £1 Million to Ransomware Attackers (

Microsoft Patches Zero-Day Vulnerability in Office

Microsoft’s January 2018 Patch Tuesday updates address more than 50 vulnerabilities, including a zero-day vulnerability in Office related to an Equation Editor flaw that has been exploited by several threat groups in the past few months. The zero-day vulnerability, tracked as CVE-2018-0802[1], has been described by Microsoft as a memory corruption issue that can be exploited for remote code execution by getting targeted users to open a specially crafted file via Office or WordPad. Microsoft has credited several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security’s 0Patch Team, and experts from Check Point Software Technologies for finding the flaw.

The security hole is related to CVE-2017-11882[2], a 17-year-old vulnerability in the Equation Editor (EQNEDT32.EXE), which the vendor addressed with the November 2017 Patch Tuesday updates. Based on how the patch was developed, experts believe Microsoft may have lost the application’s source code, which forced it to somehow patch the executable file directly[3]. Microsoft replaced the Equation Editor component in Office 2007, but kept the old one as well for compatibility reasons.

The problematic component has now been removed from Office. 0Patch researchers have been analyzing CVE-2017-11882, which has likely led them to discovering a new, related vulnerability. Check Point has published a blog post with the details of CVE-2018-0802[4] and showed how an exploit works, but they have not mentioned any attacks.

This suggests that the Chinese researchers may have been the ones who spotted the vulnerability being exploited in attacks. This would not be the first time experts at Qihoo 360 witnessed the exploitation of an Office zero-day. Back in October, after Microsoft released a patch, they reported seeing CVE-2017-11826 being leveraged to deliver malware[5].

If CVE-2018-0802 is related to CVE-2017-11882, there is a long list of threat actors who may be exploiting it. CVE-2017-11882 has been exploited by Iranian cyberspies[6], the Cobalt hacking group[7], someone who uses TelegramRAT[8], and likely others. Microsoft’s Patch Tuesday updates[9] also address a spoofing vulnerability in Office for Mac that has already been publicly disclosed.

Sixteen of the flaws resolved this month have been rated critical, a majority affecting the scripting engine used by the Edge and Internet Explorer web browsers. Microsoft has also rated critical a Word vulnerability (CVE-2018-0797) that can be exploited for remote code execution using specially crafted RTF files. Adobe’s Patch Tuesday updates for this month patch only one information disclosure vulnerability in Flash Player.

Related: Microsoft Patches for CPU Flaws Break Windows, Apps[10]

Related: Microsoft Suspends CPU Flaw Patches for AMD Devices[11]


  1. ^ CVE-2018-0802 (
  2. ^ CVE-2017-11882 (
  3. ^ patch the executable file directly (
  4. ^ details of CVE-2018-0802 (
  5. ^ leveraged to deliver malware (
  6. ^ Iranian cyberspies (
  7. ^ Cobalt hacking group (
  8. ^ TelegramRAT (
  9. ^ Microsoft’s Patch Tuesday updates (
  10. ^ Microsoft Patches for CPU Flaws Break Windows, Apps (
  11. ^ Microsoft Suspends CPU Flaw Patches for AMD Devices (