October 24, 2014

Malware found in U.S. power plants, should America be worried?

us-cert logo(LiveHacking.Com) – According to a new report (pdf) released by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

The first case came to ICS-CERT’s attention when it was contacted by the staff at a power generation facility. Several different bits of malware, which has been classified as both common and sophisticated, were discovered when an employee asked IT staff to inspect a USB drive used to back up control systems configurations within the control environment.

Initial analysis of the malware, found on the USB drive, raised some alarms since one of the infections was linked to known sophisticated malware. ICS-CERT engineers went on-site and took drive images of the infected hardware. The engineers also discovered two critical engineering workstations, which were infected by the malware, that had no backups, and an poor or incorrect removal of the malware would have significantly impaired the operation of the power plant.

A cleanup procedure was developed and executed together with the organization’s control system vendor to ensure that it would not adversely impact the critical workstations.

The second case happened in early October. A power company contacted ICS-CERT to inform it malware infection in a turbine control system. The malware infected around ten computers on the control system network that was down due to a scheduled outage for equipment upgrades. The infection resulted in more than planned downtime and delayed the plant restart by approximately 3 weeks.

“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media. Such practices will mitigate many issues that could lead to extended system downtimes,” said the ICS-CERT report. “Defense-in-depth strategies are also essential in planning control system networks and in providing protections to reduce the risk of impacts from cyber events”

It is clear that these key infrastructural facilities need to have the correct security and backup policies and procedures in place, something which is sorely lacking at the moment.

ICS-CERT Warns of Hardcoded Backdoors in Industrial Control Systems

(LiveHacking.Com) – Independent security researcher Rubén Santamarta has published details of hardcoded backdoors in the Schneider Electric NOE771 Quantum Ethernet Module. Subsequently the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published an alert warning of the multiple vulnerabilities in the module.

The backdoors are as follows:

  • Telnet port – May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
  • Windriver Debug port – Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
  • FTP service – May allow an attacker to modify the module website, download and run custom firmware, and modify the http passwords.

Rubén’s research shows are creditionals are hardcoded in Java Jar files stored on the device. For example Rubén shows the ftp username (‘sysdiag’) and password. The result is that:

  • Modicon PLCs can be compromise via the NOE Ethernet modules through ftp, telnet, modbus, WDB, snmp, web etc.
  • An attacker could load their own trojanized firmware.
  • There are non-documented hidden accounts that can be used to compromise a PLC.

The affected products are:

Quantum

  • 140NOE77101 Firmware Version 4.9 and all previous versions.
  • 140NOE77111 Firmware Version 5.0 and all previous versions.
  • 140NOE77100 Firmware Version V3.4 and all previous versions.
  • 140NOE77110 Firmware Version V3.3 and all previous versions.
  • 140CPU65150 Firmware Version V3.5 and all previous versions.
  • 140CPU65160 Firmware Version V3.5 and all previous versions.
  • 140CPU65260 Firmware Version V3.5 and all previous versions.

Premium

  • TSXETY4103 Firmware Version V5.0 and all previous versions.
  • TSXETY5103 Firmware Version V5.0 and all previous versions.
  • TSXP571634M Firmware Version V4.9 and all previous versions.
  • TSXP572634M Firmware Version V4.9 and all previous versions.
  • TSXP573634M Firmware Version V4.9 and all previous versions.
  • TSXP574634M Firmware Version V3.5 and all previous versions.
  • TSXP575634M Firmware Version V3.5 and all previous versions.
  • TSXP576634M Firmware Version V3.5 and all previous versions.

M340

  • BMXNOE0100 Firmware Version V2.3 and all previous versions.
  • BMXNOE0110 Firmware Version V4.65 and all previous versions.
  • BMXP342020 Firmware Version V2.2 and all previous versions.
  • BMXP342030 Firmware Version V2.2 and all previous versions.

STB DIO

  • STBNIC2212 Firmware Version V2.10 and all previous versions.
  • STBNIP2311 Firmware Version V3.01 and all previous versions.
  • STBNIP2212 Firmware Version V2.73 and all previous versions.

 

Schneider Electric has created a fix for the Telnet and Windriver debug port vulnerabilities for the BMXNOE0100 and 140NOE77101 modules by removing them from the firmware. The fixes will be published on the Schneider website.