SCADA / ICS

Triton Malware Exploited Zero-Day in Schneider Electric Devices

The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric's Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization. The malware[1], designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.

Triton is designed to target Schneider Electric Triconex SIS devices, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation. The malware uses the TriStation proprietary protocol to interact with SIS controllers, including read and write programs and functions. Schneider initially believed that the malware had not leveraged any vulnerabilities in its product, but the company has now informed customers that Triton did in fact exploit a flaw in older versions of the Triconex Tricon system.

The company says the flaw affects only a small number of older versions and a patch will be released in the coming weeks. Schneider is also working on a tool - expected to become available next month - that detects the presence of the malware on a controller and removes it. Schneider has highlighted, however, that despite the existence of the vulnerability, the Triton malware would not have worked had the targeted organization followed best practices and implemented security procedures.

Specifically, the Triton malware can only compromise a SIS device if it's set to PROGRAM mode. The vendor recommends against keeping the controller in this mode when it's not actively configured. Had the targeted critical infrastructure organization applied this recommendation, the malware could not have compromised the device, even with the existence of the vulnerability, which Schneider has described as only one element in a complex attack scenario.

The company noted that its product worked as designed - it shut down systems when it detected a potentially dangerous situation - and no harm was incurred by the customer or their environment. In its advisory, Schneider also told customers that the malware is capable of scanning and mapping systems. "The malware has the capability to scan and map the industrial control system to provide reconnaissance and issue commands to Tricon controllers.

Once deployed, this type of malware, known as a Remotely Accessible Trojan (RAT), controls a system via a remote network connection as if by physical access," Schneider said. The industrial giant has advised customers to always implement the instructions in the "Security Considerations" section of the Triconex documentation. The guide recommends keeping the controllers in locked cabinets and even displaying an alarm whenever they are set to "PROGRAM" mode.

While it's unclear who is behind the Triton/Trisis attack, researchers agree that the level of sophistication suggests the involvement of a state-sponsored actor. Industrial cybersecurity and threat intelligence firm CyberX believes, based on its analysis of Triton, that the malware was developed by Iran[2] and the targeted organization was in Saudi Arabia. Related: Learn More at SecurityWeek's 2018 ICS Cyber Security Conference[3]

Related: DHS Warns of Malware Targeting Industrial Safety Systems[4]

References

  1. ^ malware (www.securityweek.com)
  2. ^ developed by Iran (www.securityweek.com)
  3. ^ Learn More at SecurityWeek's 2018 ICS Cyber Security Conference (www.icscybersecurityconference.com)
  4. ^ DHS Warns of Malware Targeting Industrial Safety Systems (www.securityweek.com)

Mirai Variant Targets ARC CPU-Based Devices

A newly discovered variant of the Mirai Internet of Things (IoT) botnet is targeting devices with ARC (Argonaut RISC Core) embedded processors, researchers warn.

Dubbed Okiru, the new malware variant appears to be different from the Satori botnet, although the latter was also called Okiru by its author. Security researchers analyzing the new threat have discovered multiple differences between the two Mirai versions, aside from the targeting of the ARC architecture.[1][2]

Originally designed by ARC International, the ARC processors are 32-bit CPUs widely used in system on chip (SOC) devices for storage, home, mobile, automotive, and IoT applications. Each year, over 1.5 billion devices are shipped with ARC processors inside.

Mirai Okiru represents the very first known malware targeting ARC processors, independent security researcher Odisseus, who analyzed the threat, notes.[3]

The botnet was discovered by @unixfreaxjp from malwaremustdie.org, the security researcher who spotted the first Mirai variant in August 2016.

In a post on reddit, the researcher explained that, although distributed denial of service (DDoS) is the main purpose of the last two Mirai versions, they are very different.[4][5]

One of the characteristics that sets them apart is the configuration, which in Okiru is encrypted in two parts with telnet bombardment password encrypted. Satori doesn't split it in two and doesn't encrypt brute default passwords either. Moreover, the new malware variant can use up to 114 credentials for telnet attack, while Satori uses a different and shorter database.

The researcher also explains that Okiru seems to lack the "TSource Engine Query" common Distributed "Reflective" (DRDoS) attack function via random UDP that Satori has.

The two also have different infection follow up commands written in their configurations and show differences in usage of watchdog.

Okiru was found to have four types of router attack exploit code hard coded in it, none of which is found in Satori. Furthermore, there are small embedded ELF Trojan downloaders in Satori, which are used to download other architecture binaries (these were coded differently compared to Okiru ones).

Last week, when the researchers first noticed Okiru's attacks, the malware enjoyed low detection in VirusTotal. Thus, and because the new threat is targeting devices that haven't been hit by malware previously, researchers expect an uptick in Mirai infections.

It is also clear that the actor behind the botnet is actively following reports on the malware.

Within minutes after ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group member Pierluigi Paganini wrote about Okiru, the website was hit with a DDoS attack that lasted over an hour, Italy's CERT-PA revealed (translated).[6][7]

Related: Botnet's Huawei Router Exploit Code Now Public[8]

Related: Mirai Variant "Satori" Targets Huawei Routers[9]

References

  1. ^ the Satori botnet (www.securityweek.com)
  2. ^ also called (blog.fortinet.com)
  3. ^ notes (twitter.com)
  4. ^ @unixfreaxjp (twitter.com)
  5. ^ a post (www.reddit.com)
  6. ^ wrote (securityaffairs.co)
  7. ^ translated (translate.google.com)
  8. ^ Botnet's Huawei Router Exploit Code Now Public (www.securityweek.com)
  9. ^ Mirai Variant "Satori" Targets Huawei Routers (www.securityweek.com)

Mirai Variant Targets ARC CPU-Based Devices

A newly discovered variant of the Mirai Internet of Things (IoT) botnet is targeting devices with ARC (Argonaut RISC Core) embedded processors, researchers warn.

Dubbed Okiru, the new malware variant appears to be different from the Satori botnet, although the latter was also called Okiru by its author. Security researchers analyzing the new threat have discovered multiple differences between the two Mirai versions, aside from the targeting of the ARC architecture.[1][2]

Originally designed by ARC International, the ARC processors are 32-bit CPUs widely used in system on chip (SOC) devices for storage, home, mobile, automotive, and IoT applications. Each year, over 1.5 billion devices are shipped with ARC processors inside.

Mirai Okiru represents the very first known malware targeting ARC processors, independent security researcher Odisseus, who analyzed the threat, notes.[3]

The botnet was discovered by @unixfreaxjp from malwaremustdie.org, the security researcher who spotted the first Mirai variant in August 2016.

In a post on reddit, the researcher explained that, although distributed denial of service (DDoS) is the main purpose of the last two Mirai versions, they are very different.[4][5]

One of the characteristics that sets them apart is the configuration, which in Okiru is encrypted in two parts with telnet bombardment password encrypted. Satori doesn’t split it in two and doesn’t encrypt brute default passwords either. Moreover, the new malware variant can use up to 114 credentials for telnet attack, while Satori uses a different and shorter database.

The researcher also explains that Okiru seems to lack the “TSource Engine Query” common Distributed “Reflective” (DRDoS) attack function via random UDP that Satori has.

The two also have different infection follow up commands written in their configurations and show differences in usage of watchdog.

Okiru was found to have four types of router attack exploit code hard coded in it, none of which is found in Satori. Furthermore, there are small embedded ELF Trojan downloaders in Satori, which are used to download other architecture binaries (these were coded differently compared to Okiru ones).

Last week, when the researchers first noticed Okiru’s attacks, the malware enjoyed low detection in VirusTotal. Thus, and because the new threat is targeting devices that haven’t been hit by malware previously, researchers expect an uptick in Mirai infections.

It is also clear that the actor behind the botnet is actively following reports on the malware.

Within minutes after ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group member Pierluigi Paganini wrote about Okiru, the website was hit with a DDoS attack that lasted over an hour, Italy’s CERT-PA revealed (translated).[6][7]

Related: Botnet’s Huawei Router Exploit Code Now Public[8]

Related: Mirai Variant “Satori” Targets Huawei Routers[9]

References

  1. ^ the Satori botnet (www.securityweek.com)
  2. ^ also called (blog.fortinet.com)
  3. ^ notes (twitter.com)
  4. ^ @unixfreaxjp (twitter.com)
  5. ^ a post (www.reddit.com)
  6. ^ wrote (securityaffairs.co)
  7. ^ translated (translate.google.com)
  8. ^ Botnet’s Huawei Router Exploit Code Now Public (www.securityweek.com)
  9. ^ Mirai Variant “Satori” Targets Huawei Routers (www.securityweek.com)