Chervonite/Pipedream malware - Printable Version +- Sinisterly (https://sinister.ly) +-- Forum: General (https://sinister.ly/Forum-General) +--- Forum: World News (https://sinister.ly/Forum-World-News) +--- Thread: Chervonite/Pipedream malware (/Thread-Chervonite-Pipedream-malware)

Chervonite/Pipedream malware - ConcernedCitizen - 04-20-2022 Pipedream In a joint advisory in the DOE / CISA / FBI / NSA network: https://www.cisa.gov/sites/default/files/publications/Joint_Cybersecurity%20Advisory_APT%20Cyber%20Tools%20Targeting%20ICS_SCADA%20Devices_4-14-22_UPDATE.pdf The APT actors have developed custom-made tools for targeting ICS/SCADA devices. The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities. By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions. DOE, CISA, NSA, and the FBI urge critical infrastructure organizations, especially Energy Sector organizations, to implement the detection and mitigation recommendations provided in this CSA to detect potential malicious APT activity and harden their ICS/SCADA devices. A new APT has developed new tools giving them full access to ICS. SCADA devices like those used within energy sector can be fully compromised by the attacker., which can gain full control and sabotage oil refineries and electrical power grids via custom tools. A Ukrainian company already reported the usage of this sort of attack in the wild, which was reported by the NSA shortly after the analysis done by Dragos. Targeting Schneider Electric MODICON and MODICON Nano PLCs, including TM251, TM241, M258, M238, LMC058, and LMC078; and OMRON Sysmac NJ and NX PLCs, including NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT DRAGOS Pipedream follows design of Stuxnet, of Crash Override and of Triton Vector: Windows-based engineering workspaces can be attacked via vulnerability the ASRock motherboard driver.  It is unclear exactly how the APT pivots from the workspaces to the ICS devices but this is one of the known ways of infecting the system. ASRock Chervonite https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/ https://www.databreachtoday.com/whitepapers/pipedream-chernovites-emerging-malware-targeting-industrial-control-w-10132 https://www.dragos.com/threat/chernovite/ CHERNOVITE has the capability to disrupt, degrade, and potentially destroy industrial environments and physical processes in industrial environments. Through normal business, independent research, and collaboration with various partners in early 2022, Dragos identified and analyzed the capabilities of a new ICS-tailored malware PIPEDREAM. PIPEDREAM is the seventh known ICS-specific malware following STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, and TRISIS. CHERNOVITE has developed a highly capable offensive ICS malware framework. PIPEDREAM provides operators with the ability to scan for new devices, brute force passwords, sever connections, and crash the target device. To accomplish this, PIPEDREAM uses several different protocols including FINS, Modbus, and Schneider Electric’s implementation of CoDeSys. Components of PIPEDREAM represent the ability to track the evolution of a new ICS capability based on known techniques from prior attacks. CRASHOVERRIDE and the associated Activity Group, Electrum, exploited the OPC-DA protocol to manipulate breakers and switch gear. CHERNOVITE, on the other hand, uses the newer but comparable OPC-UA protocol. Incontroller Attack https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool https://itwire.com/guest-articles/guest-research/mandiant-warns-of-incontroller-ics-malware.html https://therecord.media/us-agencies-warn-of-custom-made-hacking-tools-targeting-energy-sector-systems/ Several advanced persistent threat (APT) actors have created custom-made tools designed to breach IT equipment used in critical infrastructure facilities, according to a new advisory from multiple US agencies. In an alert released on Wednesday, the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) warned critical infrastructure operators of potential attacks targeting multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices. The alert says the tools used in the attacks were designed specifically for Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. Eric Byres, chief technology officer of ICS cybersecurity software firm aDolus Technology, told The Record that Schneider Electric MODICON PLCs and OPC Unified Architecture (OPC UA) servers are incredibly common and are used widely within many major industrial facilities across the US. “The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network. Additionally, the actors can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the alert explained. “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions.” The agencies urged energy sector organizations and other critical infrastructure facilities to implement the detection and mitigation recommendations provided in the alert. Incontroller includes three tools that enable the attacker to send instructions to a variety of different industrial control system (ICS) devices embedded in different types of machinery across various critical industries (eg power plants, milling machines, industrial press machines used in many different manufacturing sectors, etc.). It is feasible that each tool could be used independently, or the actor may use the three tools to attack a single environment. They can be used to: Shutdown critical machinery Sabotage industrial processes Disable safety controllers to cause physical destruction of machinery that could potentially lead to the loss of human lives "The company notes the functionality of Incontroller “is consistent with the malware used in Russia's prior cyber physical attacks.” As a result, Mandiant’s experts believe “Incontroller poses the greatest threat to Ukraine, NATO member states, and other states actively responding to Russia's invasion of Ukraine.” Mandiant director of intelligence analysis Nathan Brubaker said “Mandiant, in partnership with Schneider Electric, recently analysed a set of novel ICS-oriented attack tools – which we call Incontroller – built to target specific Schneider Electric and Omron devices that are embedded in different types of machinery leveraged across multiple industries. Incontroller represents an exceptionally rare and dangerous cyber attack capability, following Stuxnet, Industroyer, and Trion as the fourth ever attack-oriented ICS malware. "Incontroller is very likely state-sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction. While we are unable to definitively attribute the malware, we note that the activity is consistent with Russia's historical interest in ICS. Incontroller poses a critical risk to organizations leveraging the targeted and affected devices. Organizations should take immediate action to determine if the targeted ICS devices are present in their environments and begin applying vendor-specific countermeasures, discovery methods, and hunting tools.” Mandiant began conducting its analysis on Incontroller in early 2022, in partnership with Schneider Electric." "In early 2022, Mandiant, in partnership with Schneider Electric, analyzed a set of novel industrial control system (ICS)-oriented attack tools—which we call INCONTROLLER (aka PIPEDREAM)—built to target machine automation devices. The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction. INCONTROLLER represents an exceptionally rare and dangerous cyber attack capability. It is comparable to TRITON, which attempted to disable an industrial safety system in 2017; INDUSTROYER, which caused a power outage in Ukraine in 2016; and STUXNET, which sabotaged the Iranian nuclear program around 2010. To help asset owners find and defend against INCONTROLLER, we have included a range of mitigations and discovery methods throughout this report. As future modifications to these tools are likely, we believe behavior-based hunting and detection methods will be most effective."