ICS Focused Malware
Description
This alert provides mitigation details for ICS focused malware.
SUMMARY
NCCIC/ICS-CERT is aware of reports of malware targeting industrial control systems (ICSs) that are being distributed via compromised ICS vendor web sites. The ICS vendor web sites were reportedly found to have their products’ downloadable software installer infected with a backdoor Trojan known as the Havex Trojan. Customers of these vendors that visited a compromised site, downloaded, and installed the trojanized software could be compromised. This could allow attackers access to their networks including those that operate critical infrastructure. In addition, ICS-CERT is conducting analysis to determine possible linkages between this activity and previous watering-hole compromises and malware campaigns. ICS‑CERT will provide updates as they become available.
More information can be found on the F-Secure web site:
http://www.f-secure.com/weblog/archives/00002718.html
ICS-CERT has also posted a TLP Amber report regarding this activity to the control systems compartment of the US-CERT secure portal. This report was developed by an independent organization and provides technical details and analysis of the malware. At the time of this alert, ICS-CERT has not independently validated all the information contained in these reports but is providing it for situational awareness and use in network defense.
ICS-CERT is analyzing the research and coordinating with partners to:
- Evaluate the install/deployment base of the reported affected vendors
- Provide additional indicators of compromise
- Identify any affected entities in the US
- Reach out to the ICS vendors that were compromised and offer assistance in identifying those customers that may have visited the web site and downloaded the Trojan.
ICS-CERT encourages US asset owners and operators to join the control systems compartment of the US-CERT secure portal. To request access to the secure portal send your name, email address, and company affiliation to ics-cert@hq.dhs.gov.
ICS-CERT requests that any company that identifies activity related to this report, please notify ICS-CERT immediately for tracking and correlation.
Mitigations
MITIGATION
ICS-CERT is currently coordinating with the vendors and security researchers to identify mitigations.
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.[1]
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
ICS-CERT also provides a recommended practices section for control systems on the ICS-CERT web site (http://ics-cert.us-cert.gov). Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- 1. ICS-CERT ALERT, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01, web site last accessed June 25, 2014.
This product is provided subject to this Notification and this Privacy & Use policy.