BlackEnergy*: More than power in a can, Mike Tyson* in an ICS APT !

By Maxime de Jabrun.

BlackEnergy malware compromises ICS connected to Internet

Last month, the ICS-CERT published an alert about an Advanced Persistent Threat (APT) that was using the BlackEnergy malware to compromise Industrial Control Systems environment. It targeted human-machine interfaces connected to Internet and use various vulnerabilities to infect the system. Different products have been targeted including GE Cimplicity, Siemens WinCC and Advantech/Broadwin WebAccess. It looks like GE Cimplicity was the first product infected by the malware using the vulnerability CVE-2014-0751 and activity has been detected since 2012.

The attacker injected two .cim (Cimplicity screen file) files that are used to install the BlackEnergy malware on the system. According to the ICS-CERT, the malware did not attempt to modify or damage any victim systems’ control processes but it is extremely modular and plugins can be downloaded afterwards. The full plugin list is not known today but some have been identified and they are already quite dangerous (password stealer, remote desktop access, keylogger, etc…). Thus, any companies which have been running Cimplity with the IHM directly connected to Internet since 2012 could be infected with the malware.

Project SHINE: make the public aware

These devices can easily be identified with Shodan, a tool that detect and identify any devices connected to internet based on filters you provide. The project SHINE (SHodan INtelligence Extraction) has been developed to extract information about SCADA and ICS software connected to internet using Shodan. A report released last month shows the important amount of information that can be gathered online and the volume of devices directly connected to Internet.

New tool release to improve SCADA and ICS security

To improve security, Billy Rios, a security expert created Whitescope, a database of valid files used by ICS and SCADA software. His goal is to have a whitelist of every known-good files from SCADA and ICS vendors and there is already 300 000 files in the database. The tool is free and maintains a collection of file hashes, registry changes and others information gathered during installation or on running systems. Having a file detected in the database ensure the user that he can trust it but, if it is not present, it does not necessarily mean that the file is malicious but IT security team can start an investigation . Billy Rios wants to add more and more files, Whitescope will have half a millions files in its database at the end of the year and he predicts to double this number before the first quarter of 2015 ends.

The use of whitelisting is a very good way to protect application from external and internal threats. Moreover it can be associated with other methods to have a complete set of security measures strengthening trust in ICS security.

 

*Note: BlackEnergy drink and Mike Tyson have nothing to do with the BlackEnergy malware.

Sources:

1. https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A

2. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0751

3. https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/

4. http://www.shodanhq.com/

5. http://fr.slideshare.net/BobRadvanovsky/project-shine-findings-report-dated-1oct2014

6. http://www.icswhitelist.com/

7. http://fr.slideshare.net/Mdejabrun/i-rs0006prsc10167748-dbeijafloresecwayleafletofferindustrial-it-cybersecurityen