资源描述
Threat Landscape for Industrial Automation Systems H1 2018 06.09.2018 Version 1.0 Kaspersky Lab ICS CERT THREAT LANDSCAPE FOR INDUSTRIAL AUTOMATION SYSTEMS, H1 2018 1 KASPERSKY LAB, 1997 2018 Contents H1 2018 Key events . 3 Spectre and Meltdown vulnerabilities in industrial solutions . 3 Energetic Bear/Crouching Yeti: attacks on servers . 3 Cryptominers in industrial networks . 4 Large-scale attacks on Cisco switches affect critical infrastructure objects . 5 New VPNFilter malware with SCADA monitoring function . 5 Attack on satellite systems . 6 Key research: details on Triton malware . 6 IoT botnet activity . 6 Ransomware attacks . 7 Attacks on industrial enterprises using RATs . 7 RMS and TeamViewer-based phishing attacks . 7 Attacks using RATs in a companys industrial network . 8 Threat statistics . 9 Methodology . 9 Percentage of ICS computers attacked . 10 Geographical distribution . 10 Factors affecting the cybersecurity of ICS computers . 12 Main sources of infection . 15 Main sources of ICS computer infections by region . 16 Internet . 16 Removable media . 17 Email clients . 19 Malware on industrial automation systems . 21 Platforms used by malware . 21 Exploits . 22 Spyware . 23 Our recommendations . 24 Kaspersky Lab ICS CERT THREAT LANDSCAPE FOR INDUSTRIAL AUTOMATION SYSTEMS, H1 2018 2 KASPERSKY LAB, 1997 2018 For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. The main objective of these publications is to provide information support to global and local incident response teams, enterprise information security staff and researchers in the area of industrial facility security. Kaspersky Lab ICS CERT THREAT LANDSCAPE FOR INDUSTRIAL AUTOMATION SYSTEMS, H1 2018 3 KASPERSKY LAB, 1997 2018 H1 2018 Key events Spectre and Meltdown vulnerabilities in industrial solutions In early 2018, vulnerabilities that allow unauthorized access to virtual memory content were discovered in Intel, ARM64 and AMD processors. The attacks exploiting these vulnerabilities were given the names Meltdown and Spectre. The issue is related to three vulnerabilities: bounds check bypass (CVE-2017-5753/Spectre); branch target injection (CVE-2017-5715/Spectre); rogue data cache load (CVE-2017-5754/Meltdown). While both Spectre and Meltdown attacks allow user applications to obtain other programs data, Meltdown attacks also allow kernel memory to be read. This problem has affected many computers, servers and mobile devices running Windows, macOS, Linux, Android, iOS and Chrome OS that use vulnerable microprocessors. Industrial equipment SCADA servers, industrial computers and network devices with vulnerable processors also proved vulnerable to Meltdown and Spectre. One of the first companies to report about the vulnerabilities in their products was Cisco. Affected devices include Cisco 800 Industrial Integrated Services Routers and Industrial Ethernet 4000 switches. Other industry vendors then published notifications about the impact of the Meltdown and Spectre vulnerabilities on their products. PHOENIX CONTACT informed customers that dozens of its products, including control systems, industrial computers and HMI were vulnerable to Meltdown and Spectre. Among the vulnerable Yokogawa products were the CENTUM VP/CS 3000 Field Control Station (FCS) and the ProSafe-RS Safety Control Station (SCS). Meltdown and Spectre also affected Siemens industrial equipment: RUGGEDCOM APE and RX1400 VPE devices, SIMATIC HMI Comfort panels, SIMATIC IPC industrial computers, SIMATIC S7-1500 Software Controller PLC, and others. As well as the information on Meltdown and Spectre, Siemens reported its solutions being affected by two more vulnerabilities from a class of vulnerabilities referred to as Spectre Next Generation (Spectre-NG) discovered later in May 2018. Other vendors, including Schneider Electric, ABB and OSIsoft, also published information about the use of vulnerable processors in their products. Energetic Bear/Crouching Yeti: attacks on servers In February, Kaspersky Lab ICS CERT published a report on an investigation into the initial infection tactics used by the notorious APT group Energetic Bear/Crouching Yeti, as well as the results of an analysis of several web servers compromised by the group in 2016 and early 2017, using information provided by the server owners. Energetic Bear/Crouching Yeti has been active since at least 2010, attacking companies and individuals in various countries. The specialists at CrowdStrike initially noted a strong focus on Kaspersky Lab ICS CERT THREAT LANDSCAPE FOR INDUSTRIAL AUTOMATION SYSTEMS, H1 2018 4 KASPERSKY LAB, 1997 2018 the energy and industrial sectors, which may explain the name Energetic Bear. Later, when the diversity of the groups attacks became clearer, the researchers at Kaspersky Lab named it Crouching Yeti. The targets of the attacks are mainly concentrated in Europe and the US. Recently, the number of attacks on companies in Turkey increased significantly. According to US-CERT and the UK National Cyber Security Centre, the Energetic Bear/Crouching Yeti APT group is linked to the Russian government. The initial infection tactics used by the group is a multi-step process that begins with phishing emails being sent out with malicious documents and infecting various servers. Some infected servers are used by the group as auxiliaries used only for hosting various tools. Others are infected so they can be used in watering hole attacks, with some servers hosting an SMB link that leads to other servers that steal the authentication data of potential victims. With some rare exceptions, the Energetic Bear/Crouching Yeti group uses publicly available tools to carry out their attacks. All the utilities discovered by the Kaspersky Lab ICS CERT experts have open source code that is freely available on GitHub. This makes the task of attack attribution very difficult without additional group “markers”. In most cases observed by Kaspersky Lab ICS CERT, the attackers performed tasks to identify vulnerabilities, gain persistence on different nodes and steal authentication data in order to develop the attack further. An analysis of the compromised servers and the attacks on them showed that for Energetic Bear/Crouching Yeti, almost any vulnerable server on the internet is seen as a potential foothold from which to develop targeted attacks. The investigation into the initial, intermediate and subsequent targets of these attacks also revealed a diverse geography. The largest number of victims and targets was in Russia, followed by Turkey and Ukraine. Under half of the systems attacked were related to industry, agricultural services and utilities. Cryptominers in industrial networks In February 2018, several media reports claimed industrial enterprises were infected with malware containing cryptocurrency mining functionality. At one wastewater treatment plant in Europe four servers running Windows XP and CIMPLICITY SCADA software from GE Digital were compromised. The malware slowed down the HMI and SCADA servers used for monitoring industrial processes. Teslas cloud servers were also breached and their computing resources utilized to mine the Monero cryptocurrency. Cybercriminals attacked the Kubernetes framework used in the electric vehicle manufacturers infrastructure and embedded malware to generate cryptocurrency. According to Kaspersky Lab ICS CERT, these widely publicized incidents are far from being unique and reflect a worrying overall trend. Since April 2018, Kaspersky Lab has been using more accurate verdicts to collect statistics about miners. They now include miners that were previously detected as Trojans. As a consequence, our statistics show that the percentage of ICS computers attacked by malicious programs designed for mining cryptocurrencies has grown sharply since April and in the first half of 2018 reached 6% 4.2 percentage points more than the previous six months. Kaspersky Lab ICS CERT THREAT LANDSCAPE FOR INDUSTRIAL AUTOMATION SYSTEMS, H1 2018 5 KASPERSKY LAB, 1997 2018 The main problem caused by mining malware is the increased load on industrial information systems. This is likely to be inadmissible for many industrial automation systems as it could affect the stability of their operations and reduce the level of control over the industrial process at the enterprise. Large-scale attacks on Cisco switches affect critical infrastructure objects On April 6, attacks targeting Cisco IOS switches were detected around the world, affecting the operations of internet providers, data centers and websites. The attackers exploited the CVE-2018-0171 vulnerability in the Cisco Smart Install Client software. According to the Cisco Talos team, more than 168,000 devices worldwide are potentially exposed. The attack utilized a special bot that detects vulnerable devices, replaces the Cisco IOS image on the switches and modifies the configuration file. The switch then becomes unavailable. The attacks had an obvious focus on organizations in Russia and Iran. According to Cisco Talos, the targeted companies included critical infrastructure facilities. New VPNFilter malware with SCADA monitoring function In May 2018, the new VPNFilter malicious software was discovered. It infected at least 500,000 routers and network-attached storage devices (NAS) in 54 countries. VPNFilter has a complex modular architecture whose components implement various functions, including collecting network traffic and data, executing commands and controlling the device, intercepting packets, monitoring Modbus protocols, and communicating with the command server via the Tor network. Share of ICS computers attacked by cryptocurrency mining malware Kaspersky Lab ICS CERT THREAT LANDSCAPE FOR INDUSTRIAL AUTOMATION SYSTEMS, H1 2018 6 KASPERSKY LAB, 1997 2018 The malware exploits a variety of known vulnerabilities to infect devices, but the infection vector is not yet clear. During infection, a component is installed that persists through a reboot and is capable of downloading additional malicious modules. That is why VPNFilter requires the close attention of the information security community, as this malware can be used to steal credentials, detect industrial SCADA equipment, and perform various attacks using infected devices together in a botnet. Attack on satellite systems In June 2018, a massive cyberattack originating from computers in China was detected. It targeted telecom operators, a satellite communications operator, as well as defense contractors in the United States and countries in South-East Asia. During the attack, cybercriminals compromised computers used to control communication satellites and collect geolocation data. Expert opinion suggests the motives behind the cyberattacks were to spy and intercept data from civil and military communication channels. However, an attack like this could potentially lead to an unauthorized change to the location of satellites in orbit and disrupt c
展开阅读全文