CYBER NEWS

BlackEnergy visando sistemas de controle industrial nos EUA

Inúmeros sistemas de controle industrial (ICS) in the USA were compromised in a malicious campaign using a version of the BalckEnergy toolkit that was launched at least three years ago.
BlackEnergy
Os produtos HMI do Advantech / Broadwin WebAccess, GE Cimplicity and Siemens WinCC were targeted in the campaign, reported the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The experts suspect that other solutions may also be compromised, but there is no hard evidence so far.

The architecture of BlackEnergy is modular, thus allowing the implementation of new modules to cover additional functions. The malware is known to possess numerous capabilities, yet researchers have observed only the use of modules configured for lateral movement on the Web. What they do is scan for removable media and shared locations. Experts haven’t found any evidence of BlackEnergy interfering with the control processes on the compromised system.

Attack Vectors of BlackEnergy

The cybercriminals have leveraged the CVE-2014-0751 vulnerability on GE Cimplicity, which allows them to execute the arbitrary code via a specially designed message to TCP port 10212 from a remote location.

The glitch was publicly reported at the beginning of the year but according to the ICS-CERT the hackers have been exploiting the vulnerability since the beginning of 2012. In the campaign targeting Cimplicity products, BlackEnergy follows a self-delete pattern right after installation. To find and attack vulnerable systems, the crooks are probably using automated tools. The experts warn all the companies that have been using Cimplicity since 2012 with their HMI directly connected to the Web that they might be infected with BlackEnergy.

The attack vectors for further HMI products have not been defined so far. Computers using Advantech/Broadwin WebAccess control software and WinCC have been red-flagged because files related to BlackEnergy have been spotted on them.

Experts’ Recommendation

Companies that operate industrial control systems are strongly recommended to revise their assets for any sign of infection.

The BlackEnergy intrusion can be identified with the help of the Yara signature, created by ICS-CERT. Users must keep in mind that the signature has not been tested for all environments or variations, so in case of any suspected findings, they are sked to contact ICS-CERT immediately.

Avatar

Berta Bilbao

Berta é um pesquisador de malware dedicado, sonhando para um espaço cibernético mais seguro. Seu fascínio com a segurança de TI começou há alguns anos atrás, quando um malware bloqueado la fora de seu próprio computador.

mais Posts

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...