Virus & Malware

Triton Malware Exploited Zero-Day in Schneider Electric Devices

The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric's Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization. The malware[1], designed to target industrial control systems (ICS), was discovered after it caused a shutdown at an organization in the Middle East. Both FireEye and Dragos published detailed reports on the threat.

Triton is designed to target Schneider Electric Triconex SIS devices, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation. The malware uses the TriStation proprietary protocol to interact with SIS controllers, including read and write programs and functions. Schneider initially believed that the malware had not leveraged any vulnerabilities in its product, but the company has now informed customers that Triton did in fact exploit a flaw in older versions of the Triconex Tricon system.

The company says the flaw affects only a small number of older versions and a patch will be released in the coming weeks. Schneider is also working on a tool - expected to become available next month - that detects the presence of the malware on a controller and removes it. Schneider has highlighted, however, that despite the existence of the vulnerability, the Triton malware would not have worked had the targeted organization followed best practices and implemented security procedures.

Specifically, the Triton malware can only compromise a SIS device if it's set to PROGRAM mode. The vendor recommends against keeping the controller in this mode when it's not actively configured. Had the targeted critical infrastructure organization applied this recommendation, the malware could not have compromised the device, even with the existence of the vulnerability, which Schneider has described as only one element in a complex attack scenario.

The company noted that its product worked as designed - it shut down systems when it detected a potentially dangerous situation - and no harm was incurred by the customer or their environment. In its advisory, Schneider also told customers that the malware is capable of scanning and mapping systems. "The malware has the capability to scan and map the industrial control system to provide reconnaissance and issue commands to Tricon controllers.

Once deployed, this type of malware, known as a Remotely Accessible Trojan (RAT), controls a system via a remote network connection as if by physical access," Schneider said. The industrial giant has advised customers to always implement the instructions in the "Security Considerations" section of the Triconex documentation. The guide recommends keeping the controllers in locked cabinets and even displaying an alarm whenever they are set to "PROGRAM" mode.

While it's unclear who is behind the Triton/Trisis attack, researchers agree that the level of sophistication suggests the involvement of a state-sponsored actor. Industrial cybersecurity and threat intelligence firm CyberX believes, based on its analysis of Triton, that the malware was developed by Iran[2] and the targeted organization was in Saudi Arabia. Related: Learn More at SecurityWeek's 2018 ICS Cyber Security Conference[3]

Related: DHS Warns of Malware Targeting Industrial Safety Systems[4]

References

  1. ^ malware (www.securityweek.com)
  2. ^ developed by Iran (www.securityweek.com)
  3. ^ Learn More at SecurityWeek's 2018 ICS Cyber Security Conference (www.icscybersecurityconference.com)
  4. ^ DHS Warns of Malware Targeting Industrial Safety Systems (www.securityweek.com)

Zyklon Malware Delivered via Recent Office Flaws

A piece of malware known as Zyklon has been delivered by cybercriminals using some relatively new vulnerabilities in Microsoft Office, FireEye reported on Wednesday. Zyklon[1] has been around since early 2016 and it allows attackers to conduct a wide range of malicious activities, including launch distributed denial-of-service (DDoS) attacks, log keystrokes, steal passwords, and mine cryptocurrency. A recent campaign[2] observed by FireEye has been aimed at organizations in the telecommunications, insurance and financial services sectors.

The malware has been delivered as a ZIP archive attached to spam emails. The ZIP file contains a specially crafted Word document that exploits one of three weaknesses in Microsoft Office to deliver a PowerShell script that downloads the final Zyklon payload from a remote server. One of the vulnerabilities exploited by the malicious documents is CVE-2017-8759, a flaw patched by Microsoft in September 2017 after FireEye noticed that it had been exploited to deliver spyware[3].

The security hole was later used by China-linked cyberspies[4] to target organizations in the United States. Another flaw exploited to deliver Zyklon is CVE-2017-11882[5], a 17-year-old vulnerability in the Equation Editor component that Microsoft patched in November. CVE-2017-11882 has been leveraged by Iranian cyberspies[6], the Cobalt hacking group[7], and others.

Cybercriminals have also abused the Dynamic Data Exchange (DDE) feature in Office to spread the malware. Russia-linked cyberspies and many other threat actors have abused DDE[8] to deliver malware, which ultimately led to Microsoft disabling[9] the feature in all versions of Word in an effort to prevent attacks. If the malicious documents successfully exploit one of these weaknesses, they download a PowerShell script that injects code and fetches the final payload from a server.

The malware uses the Tor network to communicate with its command and control (C&C) server. Once a connection has been established, the attacker can instruct the malware to provide information about the infected system, launch DDoS attacks, mine cryptocurrency, and upload harvested data. In addition to built-in functionality, Zyklon has several plugins that can be loaded for additional features.

The plugins allow attackers to steal passwords from popular web browsers, FTP and email passwords, keys associated with video games, and software license keys. The malware can also establish a Socks5 proxy on the infected machine, and it can hijack the clipboard in order to replace Bitcoin addresses copied by the victim with addresses owned by the attacker. Related: Microsoft Patches Zero-Day Vulnerability in Office[10]

Related: Locky Uses DDE Attack for Distribution[11]

References

  1. ^ Zyklon (blog.talosintelligence.com)
  2. ^ campaign (www.fireeye.com)
  3. ^ deliver spyware (www.securityweek.com)
  4. ^ China-linked cyberspies (www.securityweek.com)
  5. ^ CVE-2017-11882 (www.securityweek.com)
  6. ^ Iranian cyberspies (www.securityweek.com)
  7. ^ Cobalt hacking group (www.securityweek.com)
  8. ^ abused DDE (www.securityweek.com)
  9. ^ disabling (www.securityweek.com)
  10. ^ Microsoft Patches Zero-Day Vulnerability in Office (www.securityweek.com)
  11. ^ Locky Uses DDE Attack for Distribution (www.securityweek.com)

Zyklon Malware Delivered via Recent Office Flaws

A piece of malware known as Zyklon has been delivered by cybercriminals using some relatively new vulnerabilities in Microsoft Office, FireEye reported on Wednesday. Zyklon[1] has been around since early 2016 and it allows attackers to conduct a wide range of malicious activities, including launch distributed denial-of-service (DDoS) attacks, log keystrokes, steal passwords, and mine cryptocurrency. A recent campaign[2] observed by FireEye has been aimed at organizations in the telecommunications, insurance and financial services sectors.

The malware has been delivered as a ZIP archive attached to spam emails. The ZIP file contains a specially crafted Word document that exploits one of three weaknesses in Microsoft Office to deliver a PowerShell script that downloads the final Zyklon payload from a remote server. One of the vulnerabilities exploited by the malicious documents is CVE-2017-8759, a flaw patched by Microsoft in September 2017 after FireEye noticed that it had been exploited to deliver spyware[3].

The security hole was later used by China-linked cyberspies[4] to target organizations in the United States. Another flaw exploited to deliver Zyklon is CVE-2017-11882[5], a 17-year-old vulnerability in the Equation Editor component that Microsoft patched in November. CVE-2017-11882 has been leveraged by Iranian cyberspies[6], the Cobalt hacking group[7], and others.

Cybercriminals have also abused the Dynamic Data Exchange (DDE) feature in Office to spread the malware. Russia-linked cyberspies and many other threat actors have abused DDE[8] to deliver malware, which ultimately led to Microsoft disabling[9] the feature in all versions of Word in an effort to prevent attacks. If the malicious documents successfully exploit one of these weaknesses, they download a PowerShell script that injects code and fetches the final payload from a server.

The malware uses the Tor network to communicate with its command and control (C&C) server. Once a connection has been established, the attacker can instruct the malware to provide information about the infected system, launch DDoS attacks, mine cryptocurrency, and upload harvested data. In addition to built-in functionality, Zyklon has several plugins that can be loaded for additional features.

The plugins allow attackers to steal passwords from popular web browsers, FTP and email passwords, keys associated with video games, and software license keys. The malware can also establish a Socks5 proxy on the infected machine, and it can hijack the clipboard in order to replace Bitcoin addresses copied by the victim with addresses owned by the attacker. Related: Microsoft Patches Zero-Day Vulnerability in Office[10]

Related: Locky Uses DDE Attack for Distribution[11]

References

  1. ^ Zyklon (blog.talosintelligence.com)
  2. ^ campaign (www.fireeye.com)
  3. ^ deliver spyware (www.securityweek.com)
  4. ^ China-linked cyberspies (www.securityweek.com)
  5. ^ CVE-2017-11882 (www.securityweek.com)
  6. ^ Iranian cyberspies (www.securityweek.com)
  7. ^ Cobalt hacking group (www.securityweek.com)
  8. ^ abused DDE (www.securityweek.com)
  9. ^ disabling (www.securityweek.com)
  10. ^ Microsoft Patches Zero-Day Vulnerability in Office (www.securityweek.com)
  11. ^ Locky Uses DDE Attack for Distribution (www.securityweek.com)