Tag Archives: ics

Wind River Resolves Critical Infrastructure Vulnerabilities

Last week the real-time embedded systems vendor Wind River Systems released security updates for a large number of critical infrastructure systems.

====================
TL DR:
If any of your enterprise clients use within their network perimeter: modems, routers, firewalls, printers, industrial control or medical monitoring devices; check if any of those devices use Wind River’s VxWorks software based on their TP/IP stack (IPnet). If so, review the FAQs and security advisory linked to below to install the necessary updates.
====================

Why should these vulnerabilities be considered important?
The sheer number of affected devices is thought to be very large due to the prevalence of devices running the vulnerable VxWorks software. I realize the list of devices above is very generic but the FAQs and security advisory are not vendor or model specific. This means you may have some of these devices and not even realize it. Verifying if they are using VxWorks and what version will be a priority.

Since medical monitoring and industrial control devices are included in this advisory; if these vulnerabilities are exploited there is the potential for a threat to human life. E.g. if incorrect results are displayed on a medical device, too much medication is administered, or if temperatures exceed safe levels in an industrial control system.

Due to the nature of four of the vulnerabilities; a border firewall will not always be enough to prevent an attacker exploiting. Broadcast packets could be sent to every device in the network, compromising them all at once.

How can I protect my organization from these vulnerabilities?
Review the FAQs and the security advisory and take the necessary steps to install the relevant patches. If your organisation is affected; first apply the necessary mitigations to any vulnerable device you initially discover while you assess the remaining number of impacted devices and develop a plan/schedule to approach the installation of the patches:

Mitigations listed on Page 3 (onwards) of this security advisory:
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/security-advisory-ipnet/

FAQs:
https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/ipnet-faq/

From my understanding of the information provided by Wind River they are directly contacting their affected clients and may offer paid for assistance to resolve these vulnerabilities for out of support devices. However, there is a possibility they may inadvertently miss an affected organisation. Please contact Wind River if in doubt:

support@windriver.com

Thank you.

====================
References:
Wind River’s Blog Post:
https://blogs.windriver.com/wind_river_blog/2019/07/urgent-11-further-boosts-vxworks-security.html

Kaspersky ThreatPost article:
https://threatpost.com/urgent-11-critical-infrastructure-eternalblue/146731/
====================

VPNFilter: Overview and removal

====================
Update: 24th October 2018:
====================
Researchers from Cisco’s Talos team have discovered further capabilities of this malware. As detailed below the 3rd stage of the malware features:

Provides plugins for the RAT (defined below in the original post) to extend its functionality.

However, the team was able to determine the following extra capabilities:

  1. Packet sniffing (obtain information from passing data packets (defined) on a network connection)
  2. JavaScript (defined) injection used to deliver exploit (a small piece of software used to trigger a known vulnerability to the advantage of an attacker) to a compromised device (most likely a router).
  3. Encrypted tunnelling (defined) to hide data the malware steals as well as the existing command and control data traffic.
  4. Creating network maps (defined)
  5. Remote connection/administration via SSH (Secure Shell)(defined)
  6. Port forwarding (defined)
  7. Create SOCK5 (defined) proxies (defined)
  8. DDoS (defined)

The good news about this malware is that from the Talos team’s research it does not appear that any malware samples remain active. However; they caution it is not possible to assume that this malware has finished its malicious actions and the possibility of its return remains.

Thank you.

====================
Update: 20th June 2018:
====================
If you would prefer a video or a podcast of how to remove this malware from your router, this Sophos blog post provides links to both. The video is hosted on Facebook but a Facebook account isn’t required to view it. Sophos also provide an archive of previous videos on the same Facebook page.

Thank you.

====================
Update: 6th June 2018:
====================
The Cisco Talos team have provided an updated list of known affected routers. I have added these to the list below with “(new)” indicating a new device on the existing list. I have also updated the malware removal advice to provide easier to follow steps.

Thank you.

====================
Original Post:
====================
In late May; a strain of malware known as VPNFilter affecting routers from the vendors listed below was publicly disclosed by the Cisco Talos team:

Affected vendors:
Asus RT-AC66U (new)
Asus RT-N10 (new)
Asus RT-N10E (new)
Asus RT-N10U (new)
Asus RT-N56U (new)
Asus RT-N66U (new)
D-Link DES-1210-08P (new)
D-Link DIR-300 (new)
D-Link DIR-300A (new)
D-Link DSR-250N (new)
D-Link DSR-500N (new)
D-Link DSR-1000 (new)
D-Link DSR-1000N (new)
Huawei HG8245 (new)
Linksys E1200
Linksys E2500
Linksys E3000 (new)
Linksys E3200 (new)
Linksys E4200 (new)
Linksys RV082 (new)
Linksys WRVS4400N
Mikrotik CCR1009 (new)
Mikrotik Cloud Core Router (CCR) CCR1016
Mikrotik CCR1036
Mikrotik CCR1072
Mikrotik CRS109 (new)
Mikrotik CRS112 (new)
Mikrotik CRS125 (new)
Mikrotik RB411 (new)
Mikrotik RB450 (new)
Mikrotik RB750 (new)
Mikrotik RB911 (new)
Mikrotik RB921 (new)
Mikrotik RB941 (new)
Mikrotik RB951 (new)
Mikrotik RB952 (new)
Mikrotik RB960 (new)
Mikrotik RB962 (new)
Mikrotik RB1100 (new)
Mikrotik RB1200 (new)
Mikrotik RB2011 (new)
Mikrotik RB3011 (new)
Mikrotik RB Groove (new)
Mikrotik RB Omnitik (new)
Mikrotik STX5 (new)
Netgear DG834 (new)
Netgear DGN1000 (new)
Netgear DGN2200
Netgear DGN3500 (new)
Netgear FVS318N (new)
Netgear MBRN3000 (new)
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200 (new)
Netgear WNR4000 (new)
Netgear WNDR3700 (new)
Netgear WNDR4000 (new)
Netgear WNDR4300 (new)
Netgear WNDR4300-TN (new)
Netgear UTM50 (new)
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
TP-Link TL-WR741ND (new)
TP-Link TL-WR841N (new)
Ubiquiti NSM2 (new)
Ubiquiti PBE M5 (new)
UPVEL Unknown Models* (new)
ZTE ZXHN H108N (new)

Why should this malware be considered important?
The authors (thought to be a group funded by a nation state) of this malware are using it to hijack vulnerable routers (500,000 are known to have been compromised across 54 countries) for possible use in cyberattacks against the Ukraine. Indeed, the malware more recently began seeking out Ukrainian routers specifically. The Ukrainian Secret Service issued a security alert on this on the 23rd of May.

The malware has the ability to do so by utilising previously publicly disclosed (defined) vulnerabilities to gain access and persistence (namely remaining present after the router is powered off and back on) within these routers. Last week the FBI took control of this botnet and are now working to clean up the affected devices.

The malware is very sophisticated and can persist within a router even if the router is powered off and back on (becoming the second malware to have this ability, the first being the Hide and Seek botnet). The malware is made up of 3 stages:

Stage 1: Is responsible for the persistence (mentioned above).
Stage 2: Providing the capabilities of a remote access Trojan (RAT)(defined)
Stage 3: Provides plugins for the RAT to extend it’s functionality.

The malware also has the capability to do the following:

  1. Wipe the firmware (see Aside below for a definition) of routers rendering them useless
  2. Inspect the data traffic passing through the router (with the possible intention of obtaining credentials passing over the wire to gain access to sensitive networks)
  3. Attempt to locate ICS/SCADA devices (defined) on the same network as the router by seeking out port 502 traffic, namely the Modbus protocol (defined) with the option of deploying further malware
  4. Communicate via the Tor network (definition in the Aside below).

How can I protect my devices from this malware?
The FBI are asking anyone who suspects their internet router to be infected to first reboot it (turn on and off the router). This will cause an infected device to check-in with the now under FBI control C&C (command and control, C2 (defined) server to provide them with a better overview of the numbers of infected devices.

To completely remove the malware; reset the device to factory defaults (this won’t harm a non-infected either but please ensure you have the necessary settings to hand to re-input them into the router, your internet service provider (ISP) will be able to help with this). This will remove stage 1 of the malware (stage 2 and 3 are removed by turning the router on an off).

To prevent re-infection: Cisco Talos’ team recommendations are available from this link. Moreover the US CERT provide recommendations here and here. Symantec’s recommendations are provided here (especially for Mikrotik and QNAP devices).

Further advisories from router manufacturers are as follows (their advice should supersede any other advice for your router model since they know their own devices the best):

Linksys
MiktroTik
Netgear
QNAP
TP-Link

Further recommendations from Sophos are:

  • Check with your vendor or ISP to find out how to get your router to do a firmware update.
  • Turn off remote administration unless you really need it
  • Choose strong password(s) for your router
  • Use HTTPS website where you can

A very useful and easy to follow step by step walk through of removing this malware by BleepingComputer is available from this link with useful guidance for multiple router models.

Thank you.

=======================
References:
New VPNFilter malware targets at least 500K networking devices worldwide : Cisco Talos team
=======================

=======================
Aside:
What is firmware?
Firmware is semi-permanent embedded software code that allows a device to carry out its function by having the low-level hardware carry out useful sequences of events.

What is The Onion Router (Tor)?
The Onion Router (Tor) is an open source (defined) project with the goal of protecting your privacy by passing your web browsing activity through a series of anonymous relies spread across the internet. These relays act like proxy servers which encrypt and randomly pass the traffic they receive from relay to relay.

This web of proxies is sometimes referred to as the Dark web (a portion of the internet only accessible using the Tor network). This makes tracing the source of the source almost impossible.
=======================

Mitigating the Increasing Risk Facing Critical Infrastructure and the Internet of Things

With attackers and malware authors extending their reach to more and more areas of our everyday lives, both companies and individuals need to take steps to improve the security of their equipment/devices. It’s not just devices such as thermometers (while important) in our homes at risk; devices that impact health and safety as well as entire communities and economies are being / or will be targeted.

For example, last month a cyber-attack took place in Ukraine that while it only lasted approximately 1 hour, served to cause a power outage in an entire district of Kiev. The on-going investigation into this attack believes it to be the same attackers responsible for the December 2015 attack (that attack affected approximately 250,000 people for up to 6 hours).

In a similar manner, a smaller energy company (at an undisclosed location) was a victim of the Samsam ransomware (defined). The attackers initially compromised the web server and used a privilege escalation vulnerability (defined) to install further malware and spread throughout the network. The attackers demanded 1 Bitcoin per infected system. The firm paid the ransom and received a decryption key that didn’t work.

Fortunately, this energy company had a working backup and was back online after 2 days. The root cause of infection? Their network not being separated by a DMZ (defined) from their industrial networks. This Dark Reading article also details 2 further examples of businesses affected who use industrial systems namely a manufacturing plant and a power plant. Both were located in Brazil.

Mark Stacey of RSA’s incident response team says that while nation states have not yet employed ransomware in industrial systems, it will certainly happen. He cites the example of a dam, where the disabling of equipment may not demand a large ransom compared to the act of encrypting the data required for its normal operation.

Former US National Security Official Richard Clarke is suggesting the use of a tried and tested means of increasing the security of all deployed industrial control systems. As it is very difficult convincing those on the Board of Directors to provide budget for something that has not happened/may not happen, he suggests employing an approach similar to that of the Y2K bug. This would require introducing regulations that require all devices after a given date be in a secured state against cyber-attack. He advocates electric power, connected cars and healthcare providers follow this approach and notes that without regulation “none of this is going to happen.” Since these regulations would apply to all ICS/SCADA (defined) vendors, they would also not loose competitiveness

With security analysts predicting further compromises of ICS/SCADA equipment this year, we need to better protect this infrastructure.

For enterprises and businesses, the regulations proposed above should assist with securing IoT and ICS/SCADA devices. However, this is just the beginning. This scanner from Beyond Trust is another great start. As that article mentions the FTC is offering $100,000 to “a company that can discover an innovative way of managing and patching IoT devices.” Securing IoT devices is not an easy problem to solve.

However, progress is happening with securing critical infrastructure and Internet of Things (IoT)(defined) devices. For example, please find below resources/recommendations, tools and products that can help protect these systems and devices.

How can we better secure ICS/SCADA devices?
These devices power our critical infrastructure e.g. power, gas, communications, water filtration etc. The US ICS-CERT has a detailed list of recommendations available from the following links:

ICS CERT Recommended Practices
ICS-CERT Secure Architecture Design
ICS Defense In-Depth (PDF)

An ICS-CERT overview of the types of vulnerabilities that these systems face.

Securing IoT devices in industry
Free IoT Vulnerability Scanner Hunts Enterprise Threats (Dark Reading.com)
Defending the Grid
Network and IoT to underpin Trend Micro’s 2017 strategy

Securing IoT in the medical sector/businesses
Hospitals are under attack in 2016 (Kaspersky SecureList)
Fooling the Smart City (Kaspersky SecureList)

Recommendations for consumer IoT devices are the following
My previous recommendations on securing IoT devices
Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection
Securing Your Smart TV
8 tips to secure those IoT devices (Network World)
Who Makes the IoT Things Under Attack? (Krebs on Security)

=======================
I hope that you find the above resources useful for securing ICS/SCADA as well as IoT devices that are very likely a target this year.

Thank you.