NSA/CISA joint report warns on attacks on critical industrial systems

NSA is warning of cyber attacks launched by foreign threat actors against organizations in the critical infrastructure sector across the U.S.

The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of cyber attacks targeting critical infrastructure across the U.S.

“Over recent months, cyber-actors have demonstrated their continued willingness to conduct malicious cyber-activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets,” states the joint advisory published by the NSA/CISA, released on Thursday. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”

The US agencies urge owners and operators of critical infrastructure to adopt the necessary measures to improve the resilience and safety of U.S. systems used in critical environments. The NSA along with the CISA recommends that all DoD, NSS, DIB, and U.S. critical infrastructure facilities take immediate actions to secure their OT assets.

Attackers are targeting specific equipment, Triconex TriStation and Triconex Tricon Communication Module broadly adopted in industrial environments, such as power plants, factories, oil, and gas refineries.

In a separate security advisory, the ICS-CERT is warning of a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module.

This isn’t the first time that these systems were targeted by threat actors in the wild.

In December 2017, a new malicious code dubbed Triton malware  (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

The Triton malware was designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Unfortunately, most of the OT systems used in industrial environments were never designed to be connected to the Internet, this means that they are particularly exposed to cyber-attacks.

Experts from CISA and NSA observed a mix of techniques used to target these systems in US critical infrastructures. The attack chain starts with spearphishing messages, once the attackers gained access to the organization’s IT network, they attempt lateral movements to target the OT network.

Below a list of recently observed Tactics, Techniques, and Procedures provided in the advisory.

• Spearphishing [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
• Deployment of commodity ransomware to Encrypt Data for Impact [T1486] on both networks.
• Connecting to Internet Accessible PLCs [T883] requiring no authentication for initial access.
• Utilizing Commonly Used Ports [T885] and Standard Application Layer Protocols [T869], to communicate with controllers and download modified control logic.
• Use of vendor engineering software and Program Downloads [T843].
• Modifying Control Logic [T833] and Parameters [T836] on PLCs.

One of the bugs detailed in the NSA/CISA alert is a critical vulnerability in Triconex SIS, tracked as CVE-2020-7491, which was rated 10 on the CvSS vulnerability-severity scale.

The CVE-2020-7491 flaw is an improper access control flaw.

“A legacy debug port account in TCMs installed in Tricon system Versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access.” reads the advisory.

A successful attack on there safety instrumented system (SIS) controllers can allow an attacker to view clear text data on the network, trigger a denial-of-service condition, or allow improper access.

The vulnerabilities listed in the advisory impact TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP or Windows 7; and Tricon Communications Module (TCM) Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems.

The good news is that more recent versions of these SIS are not impacted by these vulnerabilities.

“OT assets are critical to the Department of Defense (DoD) mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure,” concludes the joint alert. “At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take the following immediate steps to ensure resilience and safety of U.S. systems should a time of crisis emerge in the near term.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Triconex)

[adrotate banner=”5″]

[adrotate banner=”13″]