CyberWisdom Curated Commentary on Seven Articles with Summaries:
Tech Republic and GBHackers and other Cyber News Magazines reported that a dangerous malware family called “TRITON” distributing to attack Industrial control systems that leads to Perform an emergency shutdown the industrial processes. Researchers believe that this malware has the capacity to cause physical damage and inadvertently shut down operations. Hackers attempted to reprogram the safety system, which triggered a failsafe mode on a Distributed Control System (DCS) provides human operators with the ability to remotely monitor and control on a Triconex Safety Instrumented System (SIS)
The malware, dubbed Triton by the researchers, was created specifically to interface with the SIS controllers in use at the organization. The attacks follow a trend of malware created to target industrial control systems (ICS), which grew after the 2010 Stuxnet attack in Iran, said.by FireEye researchers explained in a Thursday blog post.
According to the post, an attacker got access to an actual SIS engineering workstation (which was running Windows) before deploying the Triton malware. The original goal was to use the malicious software to reprogram the safety controllers.Triton’s presence was detected by some of the SIS controllers, which then proceeded to enter a failsafe state. This, in turn, prompted the shutdown of industrial processes and triggered an investigation by the owner.
“The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message,” the post said.
While the attacker(s) didn’t achieve their main goal of causing physical damage, they did inadvertently cause the plant to shut down. This is a much better scenario, but still likely resulted in financial losses due to downtime and a complex startup process to get everything going again, the post noted.
The original curated post is from Safe Harbor on Cyber.com
New Malware “TRITON” Manipulate and Shutdown the Industrial Control Systems
A dangerous malware family called “TRITON” distributing to attack Industrial control systems that leads to Perform an emergency shutdown the industrial processes. Researchers believe that this malware has capable to cause physical damage and inadvertently shut down operations. A Distributed Control System (DCS) provides human operators with the ability to remotely monitor and control an… New Malware “TRITON” Manipulate and Shutdown the Industrial Control Systems
Massive nation state malware attack shuts down industrial plant
Using the Triton malware, hackers attempted to reprogram the safety system, which triggered a failsafe mode…. Massive nation state malware attack shuts down industrial plant
CyberWisdom found additional Articles from various sources Read on…
Additional information from Security Affairs:
Now, security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.
Iranian hackers are becoming even more aggressive, but experts always highlighted that they are not particularly sophisticated.
In October, the OilRig gang was spotted using a new Trojan in attacks aimed at targets in the Middle East.
OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.
In February, researchers at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.
The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.
Iran was responsible for destructive attacks on Saudi Aramco systems in 2012, and now CyberX is attributing the Triton malware to the Government of Teheran.
According to the experts, the shutdown was likely an accident during the reconnaissance phase conducted by the threat actors whose final goal was the sabotage.
Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.
Schneider published a security advisory to warn its customers, it suggests avoiding leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.
“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.
Triton malware was developed by Iran and used to target Saudi Arabia
CyberX who analyzed samples of the Triton malware believes it was likely developed by Iran and used to target an organization in Saudi Arabia. Security experts from security firms FireEye and Dragos reported this week the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS). Triton malware was developed by Iran and used to target Saudi Arabia
Triton Malware Targets Industrial Control Systems in Middle East
Malware intended for a “high-impact” attack against safety systems likely would of caused physical damage to a targeted company located in the Middle East. Triton Malware Targets Industrial Control Systems in Middle East
Added information from article from Security Week:
CyberX has also obtained samples of the malware and based on its threat intelligence team’s investigation, Triton/Trisis was likely created by Iran and the victim was likely an organization in Saudi Arabia.
“It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary,” Phil Neray, VP of Industrial Cybersecurity for CyberX, told SecurityWeek.
“Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches,” Neray added.
FireEye and Dragos would not comment on CyberX’s theory about Triton being developed and used by Iran. FireEye did, however, note in its report that the methods used were consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.
Triton is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation.
The malware uses the proprietary TriStation protocol to communicate with SIS controllers, and it’s capable of adding new ladder logic that allows the attackers to manipulate devices.
In the attack analyzed by FireEye and Dragos, the hackers’ activities resulted in the SIS controller triggering a process shutdown, which led to the discovery of the attack. However, experts believe the shutdown was likely an accident. One possible scenario is that the attackers were conducting reconnaissance as part of an operation whose ultimate goal was to cause physical damage.
Schneider Electric has published an advisory to inform customers about the incident and provide recommendations on how to prevent potential attacks. The company says there is no evidence that the malware exploits any vulnerabilities in the Triconex product, but it’s still working on determining if there are any other attack vectors.
“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Neray commented. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”
Iran Used “Triton” Malware to Target Saudi Arabia: Researchers
The recently uncovered malware known as “Triton” and “Trisis” was likely developed by Iran and used to target an organization in Saudi Arabia, according to industrial cybersecurity and threat intelligence firm CyberX. Iran Used “Triton” Malware to Target Saudi Arabia: Researchers
read more at securityweek.com
Further information via automationworld.com revealed -The malware referred to as Triton is significant to our community because it is not only part of an increasing focus of attacks on industrial control systems (ICSs), but it is the first to directly target a safety instrumented system (SIS). Specifically, the attack targeted the facility’s Triconex safety system from Schneider Electric, which responded appropriately by shutting down operations.
“There are some players in the market that believe that there’s no way anyone can impact the safety systems,” says Emily S. Miller, director of national security and critical infrastructure programs at Mocana. “But this is a verifiable incident where, based on initial reporting, 1) it’s clear that actors are wanting to learn about and impact safety systems; and 2) the safety systems were tripped due to malicious cyber actors working in the space.”
“It’s important to note that the purpose of this attack was to target the site/customer,” says Andy Kling, director of cybersecurity and architecture at Schneider Electric. “While Triton was designed to tamper with our products, it’s only because they’re the products that happened to be on site at this location. The malware leverages no inherent vulnerability in Schneider Electric’s product.”
Cyber Attack Hits Safety System in Critical Infrastructure
Industry is abuzz this week over reports issued by both FireEye and Dragos about a cybersecurity incident that took place at a critical infrastructure facility in the Middle East. As a publication focused on a broad spectrum of automation and control technologies throughout manufacturing, Automation World doesn’t really have the resources—or the inclination—to report about every network breach that hits the news. Nor do you have the time to fuss over each attack. But this one is worth your time to sit up and take note. The malware referred to as Triton is significant to our community because it is not only part of an increasing focus of attacks on industrial control systems (ICSs), but it is the first to directly target a safety instrumented system (SIS). Specifically, the attack targeted the facility’s Triconex safety system from Schneider Electric, which responded appropriately by shutting down operations. Cyber Attack Hits Safety System in Critical Infrastructure
Remedies found from the following Article Via securityboulevard.com
According to FireEye, to limit the threat to their control systems, industrial infrastructure operators should take a few actions:
- Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network.
- Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events.
- Implement change management procedures for changes to key position. Audit current key state regularly.
- Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
- Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP.
- Monitor ICS network traffic for unexpected communication flows and other anomalous activity.
New Triton Malware Framework Attacks Critical Infrastructure
Security researchers have come across new malware designed to infect specialized safety controllers used in industrial infrastructure, in what is believed to be a well-funded nation state attack. The malware framework was recovered by FireEye’s Mandiant incident response team while investigating an emergency shutdown event at a critical infrastructure organization. The team believes that Triton, which can reprogram Triconex safety instrumented system (SIS) controllers, caused a failed validation check between redundant units, which forced an industrial process into a failed safe state. “We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage,” the researchers said in a blog post. “FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state. The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor. New Triton Malware Framework Attacks Critical Infrastructure
Symantec said in a advisory report that TRITON was aware of SIS at least since September this year. It works by infecting Windows systems that may eventually connect to SIS workstations or devices. Malware injects code to modify the behavior of SIS devices. Symantec said the company is still investigating the potential damage done by TRITON, but said malicious software could cause serious disruption to the target organization.
FireEye said some clues suggest that the actors in a nation-state are behind the attacks. First, attackers have no incentive at all for monetary gains and appear to be interested in high-impact attacks through the SIS. TRITON was deployed almost immediately after an attacker acquired the SIS, indicating that the tool has been developed and tested with specialized equipment and tools that are not generally available to ordinary cybercriminals.
TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
TRITON malware is discovered after an attack on a safety monitoring system accidentally triggered the shutdown of an industrial process at an undisclosed organization…. TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage
The original curated post is from Safe Harbor on Cyber.com
If like to receive more of these curated news alerts then subscribe to my mailing list.