ICS-SCADA

NSA/CISA joint report warns on attacks on critical industrial systems

NSA is warning of cyber attacks launched by foreign threat actors against organizations in the critical infrastructure sector across the U.S.

The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of cyber attacks targeting critical infrastructure across the U.S.

“Over recent months, cyber-actors have demonstrated their continued willingness to conduct malicious cyber-activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets,” states the joint advisory published by the NSA/CISA, released on Thursday. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”

The US agencies urge owners and operators of critical infrastructure to adopt the necessary measures to improve the resilience and safety of U.S. systems used in critical environments. The NSA along with the CISA recommends that all DoD, NSS, DIB, and U.S. critical infrastructure facilities take immediate actions to secure their OT assets.

Attackers are targeting specific equipment, Triconex TriStation and Triconex Tricon Communication Module broadly adopted in industrial environments, such as power plants, factories, oil, and gas refineries.

In a separate security advisory, the ICS-CERT is warning of a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module.

This isn’t the first time that these systems were targeted by threat actors in the wild.

In December 2017, a new malicious code dubbed Triton malware  (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

The Triton malware was designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Unfortunately, most of the OT systems used in industrial environments were never designed to be connected to the Internet, this means that they are particularly exposed to cyber-attacks.

Experts from CISA and NSA observed a mix of techniques used to target these systems in US critical infrastructures. The attack chain starts with spearphishing messages, once the attackers gained access to the organization’s IT network, they attempt lateral movements to target the OT network.

Below a list of recently observed Tactics, Techniques, and Procedures provided in the advisory.

  • Spearphishing [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
  • Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks.
  • Connecting to Internet Accessible PLCs [T883] requiring no authentication for initial access.
  • Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols [T869], to communicate with controllers and download modified control logic.
  • Use of vendor engineering software and Program Downloads [T843].
  • Modifying Control Logic [T833] and Parameters [T836] on PLCs.

One of the bugs detailed in the NSA/CISA alert is a critical vulnerability in Triconex SIS, tracked as CVE-2020-7491, which was rated 10 on the CvSS vulnerability-severity scale.

The CVE-2020-7491 flaw is an improper access control flaw.

“A legacy debug port account in TCMs installed in Tricon system Versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access.” reads the advisory.

A successful attack on there safety instrumented system (SIS) controllers can allow an attacker to view clear text data on the network, trigger a denial-of-service condition, or allow improper access.

The vulnerabilities listed in the advisory impact TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP or Windows 7; and Tricon Communications Module (TCM) Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems.

The good news is that more recent versions of these SIS are not impacted by these vulnerabilities.

“OT assets are critical to the Department of Defense (DoD) mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure,” concludes the joint alert. “At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take the following immediate steps to ensure resilience and safety of U.S. systems should a time of crisis emerge in the near term.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Triconex)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

3 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

15 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

19 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.