Home ResourcesBlog FoxGuard monitors attack targeting ICS – Crash Override / Industroyer

FoxGuard monitors attack targeting ICS – Crash Override / Industroyer

Share:Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

Earlier in the week, an attack framework was brought to the attention of the cyber security industry that specifically targets industrial control systems. This framework is being referred to as Crash Override, and Industroyer.

It is largely believed that this framework was utilized in the Ukraine attack in December of 2016 which shutdown a large portion of the Kiev, Ukraine transmission substation. Currently analyzed versions of the framework show that the attackers have an extensive knowledge of industrial control systems used in electric power systems.

Support has been observed for the following ICS protocols:
   •    IEC 60870-5-101
   •    IEC 608570-5-104
   •    IEC 61850
   •    OLE for Process Control Data Access (OPC DA).

There have not been any observed cases of the malware utilizing the DNP3 protocol, which is the preferred protocol used in North America as opposed to IEC 101 and IEC 104. This, however, does not mean the DNP3 module does not exist in the framework and has not been revealed. Due to the modular design of the attack framework, a DNP3 module could also be easily implemented if there is not one already.

The attack gains access to ICS equipment through the HMI’s controlling them. It is therefore extremely important to make sure all HMI’s are updated fully, and hardened to the fullest extent. The framework has three primary modules: the backdoor, the launcher module, and the payload module. The backdoor authenticates with a local proxy and opens an http channel to a command and control server, which is used to send commands to the framework. The launcher module starts itself as a service, loads the payloads defined during execution, then starts a time to launch a data wiper, which renders the system unusable. The payload modules carry out the actual attack on the ICS equipment and contains protocol specific information.

Microsoft has also released patches to deprecated operating systems to harden against several vulnerabilities such as remote code execution. Microsoft has released these patches due to “heightened risk of exploitation due to past and threatened nation-state attacks and disclosures.” Operating systems still in support received the patches as well. The release of these patches does NOT constitute a return to service for the deprecated operating systems and was only released due to the severity of the vulnerabilities. The deprecated operating systems that the patches were made available for are as follow: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. It is strongly recommended to apply these patches as soon as possible to prevent attacks to your systems.

For more information on Crash Override / Industroyer, refer to the links below:
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

For more information on Microsoft’s release of patches, refer to the links below:
https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms
https://technet.microsoft.com/en-us/library/security/4025685.aspx#ID0ETJAC

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert