Gov’t Advisory Warns of Pipedream Malware Aimed at ICS
The U.S. government this week tried to get ahead of possible attacks on industrial control systems (ICS), particularly in the energy sector, via the recently discovered Pipedream malware, a modular ICS attack framework that is equally dangerous to industrial software like Omron and Schneider Electric controllers and industrial technologies like Modbus, CODESYS and OPC UA.
That’s an awful lot of industrial systems around the globe that could be targets of attack.
“Certain advanced persistent threat (APT) actors have exhibited the ability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices,” the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI said in a joint Cybersecurity Advisory (CSA).
“ICS SCADA and IoT devices are honeypots for threat actors as they represent soft targets. Such systems are often managed by the facilities team and not always at the latest firmware levels and, consequently, seldom fully compliant with Purdue MEP NIST 800-53 frameworks,” said Raju Pimplasker, CEO at Dispersive Holdings, Inc.
Marty Edwards, vice president of OT security at Tenable who served as president Obama’s CERT director, called the alert “concerning,” particularly since “the actors are apparently capable of directly interacting and manipulating the OT devices If attackers are successful.”
And “the consequences of such intrusions are vast and can be potentially devastating. When your adversary is using advanced tools to potentially disrupt your system, then organizations must have the people, processes and technology in place beforehand to harden their environments and detect any malicious activity.”
Noting that the bad actors have created “custom-made tools” that target ICS/SCADA devices, the agencies said they can “scan for, compromise and control affected devices once they have established initial access to the operational technology (OT) network.”
If that’s not bad enough the miscreants “can compromise Windows-based engineering workstations, which may be present in information technology (IT) or OT environments, using an exploit that compromises an ASRock motherboard driver with known vulnerabilities,” the government said. “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment and disrupt critical devices or functions.”
The government is particularly worried about organizations in the energy sector.
The modular architecture and ability to conduct highly automated exploits against devices make Pipedream particularly dangerous, although there is no evidence of compromise just yet. “The tools have a virtual console with a command interface that mirrors the interface of the targeted ICS/SCADA device,” the alert explained. “Modules interact with targeted devices, enabling operations by lower-skilled cyber actors to emulate higher-skilled actor capabilities.”
The APT actors can “scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents and modify device parameters,” the agencies noted.
“The APT actors can use a tool that installs and exploits a known-vulnerable ASRock-signed motherboard driver, AsrDrv103.sys, exploiting CVE-2020-15368 to execute malicious code in the Windows kernel,” they said. “Successful deployment of this tool can allow APT actors to move laterally within an IT or OT environment and disrupt critical devices or functions.”
The government alert could be responding “to recent reports from ESET, Microsoft and CERT-UA about a new variant of the Industroyer malware in Ukraine,” said Silas Cutler, principal reverse engineer at Stairwell. “Both Industroyer and Pipedream highlight the continued targeting of critical infrastructure by foreign adversaries through cyberwarfare.”
Cutler said that “while critical infrastructure is generally considered off-limits for cyber operations because of the risk of endangering consumers, we’ve seen attacks against both communication infrastructure (Viasat) and Ukraine’s electrical grid in the midst of this conflict.”