Malware

Malware posing as Siemens PLC application is targeting ICS worldwide

Findings of the MIMICS project conducted by Dragos Threat Operations Center show a malware posing as Siemens PLC application is targeting ICS worldwide.

After the disclosure of the Stuxnet case, the security industry started looking at ICS malware with increasing attention. A malware that infects an industrial control system could cause serious damages and put in danger human lives.

Ben Miller, Director of the Dragos Threat Operations Center, conducted an interesting research based on data regarding ICS incidents collected over the last 13+ years.

The project studied modern industrial control systems (MIMICS) from completely public datasets.

“In this project the Dragos, Inc. team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files being uploaded to encourage a more nuanced discussion around security in the modern ICS.” explains Dragos CEO, Robert M. Lee. 

Miller discovered ~30k samples of infected ICS files and installers dating back to 2003. The most dangerous threats are malware that quickly spread like Sivis, Ramnit, and Virut.

The experts confirmed that the infections of ICSs are not rare, they highlighted that there are only three publicly showcased pieces of ICS tailored malware: StuxnetHavex, and BlackEnergy2. There have been rumors around another couple of ICS tailored malware exploited in active campaigns, some of them studied by researchers at IronGate.

One of the most interesting findings of the MIMICS research is that multiple variants of the same malware disguised as software for Siemens programmable logic controllers (PLCs) has been detected 10 times over the last 4 years. The last time this specific ICS malware was discovered was early March.

“Starting in 2013 there were submissions from an ICS environment in the US for Siemens programmable logic controller (PLC) control software. The various anti-virus vendors were flagging it as a false positive initially and then eventually a basic piece of malware.” continues Lee. “Upon our inspection, we found that variations of this file and Siemens theme 10 times over the last 4 years with the most recent flagging of this malicious software being this month in 2017. In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.”

 

Researchers encurage asset owners and operators to implement simple best practices such as network security monitoring in order to protect their environments, for example software supply chain validation can be sufficient to drastically a concerning attack vector.

“The last finding we had was driven by the hypothesis that many of the IT security teams and security technologies that are not used to ICS environments may be flagging legitimate ICS software as malicious where it could be inappropriately placed in public databases.” concludes the report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ICSs, malware)

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

14 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

20 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.