Executive Summary
Summary | |
---|---|
Title | CrashOverride Malware |
Informations | |||
---|---|---|---|
Name | TA17-163A | First vendor Publication | 2017-06-12 |
Vendor | US-CERT | Last vendor Modification | 2017-06-12 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | N/A | Attack Range | N/A |
Cvss Impact Score | N/A | Attack Complexity | N/A |
Cvss Expoit Score | N/A | Authentication | N/A |
Calculate full CVSS 2.0 Vectors scores |
Detail
The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET [ https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf ] and Dragos [ https://www.dragos.com/blog/crashoverride/ ], the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to the U.S. critical infrastructure. Although this activity is still under investigation, NCCIC is sharing this report to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks. NCCIC continues to work with interagency and international partners on this activity and will provide updates as information becomes available. For a downloadable copy of IOCs, see: * IOCs (.csv [ https://www.us-cert.gov/sites/default/files/publications/TA17-163A_IOCs.csv ]) To report activity related to this Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov [ https://www.us-cert.govmailto:NCCICCustomerService@hq.dhs.gov ] or 1-888-282-0870. Risk Evaluation NCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color) Yellow (Medium) A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. Details There is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems. Description Technical Analysis CrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used outside the United States in electric power control systems. The platform fundamentally abuses a targeted ICS systems legitimate control systems functionality to achieve its intended effect. While the known capabilities do not appear to be U.S.-focused, it is more important to recognize that the general TTPs used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities: * Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability. Detection As CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify pre-courser activity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs, this alert will be updated. NCCIC is providing a compilation of indicators of compromise (IOCs) from a variety of sources to aid in the detection of this malware in the appendices. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendors information referenced in this report. However, NCCIC has included this data to ensure wide distribution of the most comprehensive information available and will provide updates as warranted. Signatures import pe import hash rule dragos_crashoverride_exporting_dlls rule dragos_crashoverride_suspcious rule dragos_crashoverride_name_search { rule dragos_crashoverride_hashes { condition: rule dragos_crashoverride_moduleStrings { rule dragos_crashoverride_configReader rule dragos_crashoverride_configReader rule dragos_crashoverride_weirdMutex rule dragos_crashoverride_serviceStomper rule dragos_crashoverride_wiperModuleRegistry rule dragos_crashoverride_wiperFileManipulation Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include: * temporary or permanent loss of sensitive or proprietary information, Solution Properly implemented defensive techniques and common cyber hygiene practices increase the complexity of barriers that adversaries must overcome to gain unauthorized access to critical information networks and systems. In addition, malicious network activity should trigger detection and prevention mechanisms that enable organizations to contain and respond to intrusions more rapidly. There is no set of defensive techniques or programs that will completely avert all attacks however, layered cybersecurity defenses will aid in reducing an organizations attack surface and will increase the likelihood of detection. This layered mitigation approach is known as defense-in-depth. Application Whitelisting Application whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by adversaries. Application whitelisting hardens operating systems and prevents the execution of unauthorized software. The static nature of some systems, such as database servers and human-machine interface (HMI) computers make these ideal candidates to run AWL. NCCIC encourages operators to work with their vendors to baseline and calibrate AWL deployments. Manage Authentication and Authorization This malware exploits the lack of authentication and authorization in common ICS protocols to issue unauthorized commands to field devices. Asset owners/operators should implement authentication and authorization protocols to ensure field devices verify the authenticity of commands before they are actioned. In some instances, legacy hardware may not be capable of implementing these protections. In these cases, asset owners can either leverage ICS firewalls to do stateful inspection and authentication of commands, or upgrade their control field devices. Adversaries are increasingly focused on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Compromising these credentials allows adversaries to masquerade as legitimate users, leaving less evidence of compromise than more traditional attack options (i.e., exploiting vulnerabilities or uploading malware). For this reason, operators should implement multi-factor authentication where possible and reduce privileges to only those needed for a users duties. If passwords are necessary, operators should implement secure password policies, stressing length over complexity. For all accounts, including system and non-interactive accounts, operators should ensure credentials are unique, and changed, at a minimum, every 90 days. NCCIC also recommends that operators require separate credentials for corporate and control network zones and store them in separate trust stores. Operators should never share Active Directory, RSA ACE servers, or other trust stores between corporate and control networks. Specifically, operators should: * Decrease a threat actors ability to access key network resources by implementing the principle of least privilege; Handling Destructive Malware Destructive malware continues to be a threat to both critical infrastructure and business systems. NCCIC encourages organizations to review the ICS-CERT destructive malware white paper [ http://(https://ics-cert.us-cert.gov/sites/default/files/documents/Destructive_Malware_White_Paper_S508C.pdf ]for detailed mitigation guidance. It is important for organizations to maintain backups of key data, systems, and configurations such as: * Server gold images, Ensure Proper Configuration/Patch Management Adversaries often target unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help render control systems more secure. Such a program will start with an accurate baseline and asset inventory to track what patches are needed. The program will prioritize patching and configuration management of PC-architecture machines used in HMI, database server, and engineering workstation roles, as current adversaries have significant cyber capabilities against these systems. Infected laptops are a significant malware vector. Such a program will limit the connection of external laptops to the control network and ideally supply vendors with known-good company laptops. The program will also encourage initial installation of any updates onto a test system that includes malware detection features before the updates are installed on operational systems. NCCIC recommends that operators: * Use best practices when downloading software and patches destined for their control network; Build a Defendable Environment Building a defendable environment will help limit the impact from network perimeter breaches. NCCIC recommends operators segment networks into logical enclaves and restrict host-to-host communications paths. This can prevent adversaries from expanding their access, while allowing the normal system communications to continue operating. Enclaving limits possible damage, as threat actors cannot use compromised systems to reach and contaminate systems in other enclaves. Containment provided by enclaving also makes incident cleanup significantly less costly. If one-way data transfer from a secure zone to a less secure zone is required, operators should consider using approved removable media instead of a network connection. If real-time data transfer is required, operators should consider using optical separation technologies. This allows replication of data without placing the control system at risk. Additional details on effective strategies for building a defendable ICS network can be found in the ICS-CERT Defense-in-Depth Recommended Practice [ http://ics-cert.us-cert.gov/Abstract-Defense-Depth-RP ]. Implement Secure Remote Access Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even hidden back doors intentionally created by system operators. Operators should remove such accesses wherever possible, especially modems, as these are fundamentally insecure. * Limit any accesses that remain; Monitor and Respond Defending a network against modern threats requires actively monitoring for adversarial penetration and quickly executing a prepared response. Operators should * Consider establishing monitoring programs in the following key places: at the Internet boundary; at the business to Control DMZ boundary; at the Control DMZ to control LAN boundary; and inside the Control LAN; * Have a response plan for when adversarial activity is detected. * Have a restoration plan, including gold disks ready to restore systems to known good states. |
Original Source
Url : http://www.us-cert.gov/ncas/alerts/TA17-163A |
Alert History
Date | Informations |
---|---|
2017-06-13 05:22:21 |
|