BlackEnergy exploits recently fixed flaws in Siemens WinCC

The ICS-CERT revealed that the BlackEnergy malware targeted SCADA HMI systems may be exploiting a recently patched flaw in the Siemens SIMATIC WinCC.

Security experts at the Industrial Control System Cyber Emergency Response Team (ICS-CERT)  reported that the BlackEnergy malware was used by threat actors in the wild to compromise HMI (human-machine interface) systems. The experts explained that the malware was specifically improved to exploit a recently patched vulnerability in the Siemens SIMATIC WinCC software to compromise some systems.

Siemens has issued a software update for SIMATIC WinCC on Nov. 11, which fixes two critical vulnerabilities, including an unauthenticated remote code execution.

In October, the ICS-CERT published an advisory warning of critical vulnerabilities in ICS and SCADA gear actively exploited by the malware.

“ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).” reports the advisory.

The ICS-CERT warned that the BlackEnergy malware was targeting three specific HMI products: GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.

“At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system. However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality is deployed to all victims,” the alert continues.

The disclosure of the vulnerabilities affecting the Siemens WinCC allowed experts to understand the attack chain implemented by the authors of BlackEnergy. The experts at ICS-CERT confirmed that one of the flaws was compromised by the BlackEnergy malware.

“While ICS-CERT lacks definitive information on how WinCC systems are being compromised by BlackEnergy, there are indications that one of the vulnerabilities fixed with the latest update for SIMATIC WinCC may have been exploited by the BlackEnergy malware.g ICS-CERT strongly encourages users of WinCC, TIA Portal, and PCS7 to update their software to the most recent version as soon as possible,” the updated alert says.

The security of SCADA and ICS systems is a pillar of any cyber strategy, the discovery made by experts at ICS-CERT on the BlackEnergy malware confirms that threat actors are becoming even more aggressive against US critical infrastructure.

Pierluigi Paganini

(Security Affairs –  BlackEnergy, malware)